Application rules

Application rules apply block, allow, or continue actions for requests to cloud applications. TLS-encrypted traffic can be decrypted for inspection.

Application rules allow you to create policies that control which cloud applications are sanctioned for use in your organization, and control access to those that are not.

You can create rules that apply to specific cloud applications, define the sources to which the rule applies, and apply a default block or allow action for requests that match the rule.

An application rule consists of the following elements:

• Application: the cloud application or application category to which the rule will apply. Cloud applications are system-defined resources.
• Applies To: defines where traffic must originate for the rule to apply. Source can include one or more Sites, or Source IP Address Lists. By default, the rule applies to traffic from any source to which the policy applies.
• Action: the action applied to matching traffic. Rule actions are:
  • Allow and bypass: allows traffic and bypasses further inspection. Traffic is not decrypted, and no further policy processing stages are applied.
  • Block: blocks matching traffic by terminating the session. No further policy processing is performed.
  • Continue inspection: this action allows matching traffic, and applies all further policy processing stages.
• TLS inspection: defines whether secure traffic that matches this rule is decrypted for inspection:
  • Do not decrypt: secure traffic will not be decrypted. This traffic cannot be inspected.
  • Decrypt: secure traffic will be decrypted for inspection. Decrypted traffic is re-encrypted before being routed to the Internet.
  • Default: the TLS inspection setting is inherited from the Default TLS inspection setting for the policy.