SANGFOR IAM v2.1 User Manual
56
Chapter 4
Object
[Object] covers configuration of [Application Ident Rule], [Intelligent Ident Rule], [Server], [IP
Group], [Schedule], [URL Group], [White List Group], [Keyword Group], [File Type Group],
[Ingress Rule] and [SSL Certificate].
4.1.
Application Ident Rule
Download software such as BT, emule, etc., consumes lots of bandwidth resource; IM software
such as QQ, MSN and stock trading software, etc., definitely occupies the office hours and lowers
down working efficiency. Though most of the enterprises issue regulations to ban their staff from
using these software tools, however, they can do nothing to prevent their staff from using them,
for nearly all of these software tools are designed to be able to shy away from the general
firewalls.
Application identification rule can detect traffic on the basis of protocol, port, direction, length of
data packet, and the content of the data packets, etc., which helps to identify P2P traffic quite well.
Application identification rule falls into internal rule and user-defined rule. The internal rules
cannot be modified, while the user-defined rule can be added, deleted, and edited, etc.
To obtain flow information of specific applications, you can choose the corresponding application
type or application, in association with the [Service Control] configuration in [IAM] > [Access
Control Policy] page > [Access Control], and [Bandwidth Settings] configuration in [Bandwidth
Management], to create a policy.
SANGFOR IAM gateway device adopts some patented technology to efficiently block the above
mentioned chat and IM software tools. Because the data packets of each kind of software have a
unique feature value, when the software communicates with the external networks, IAM gateway
device will detect the feature contained in the data packets and determines whether the data
packets should be blocked. If the data packets contain the features we configured, then it will not
be sent or received. In this way, this software will be unavailable for the LAN users.