The Application Control page is used to administer the filter's application firewall. This feature works similarly to the standard Firewall, except that it can identify specific applications, protocols, and domains via deep packet inspection. For example, it can detect HTTP traffic on non-standard ports, and can distinguish between multiple protocols using the same port.
The application firewall also (by default) extends the functionality of Automatic Blacklists to transparently intercepted traffic on non-HTTP(S) ports. For instance, if a client is subject to the Chat blacklist, all traffic referencing the domain
skype.com will be blocked, not just Web traffic. Uncheck Apply group blacklists to non-Web traffic if you would like to disable this feature. You can also exempt traffic to certain subnets from having this feature applied via the Destination-Based Exceptions table on the Web Filtering page.
Firewall rules are matched from top to bottom (like the Firewall page) and may be applied to both subnets and groups. Rule conditions work like those described in the Bandwidth Control section below, except that instead of defining a Priority one defines an Action — either Ignore or Block . Note that Block is only available for Domain and Application conditions — to block other traffic, please use the standard Firewall .