Application audit and management FAQ

Q.     What is the difference between application audit and application recognition?

A.     Based on application recognition (APR), application audit audits and records Internet access behaviors of users by identifying behaviors (for example, login and message sending in IM applications) and behavior objects (for example, account information for IM login).

Both of them use the APR signature library. However, the factory default APR signature library (version 1.0.0) does not support auditing.

After you installing the APR license and updating the APR signature library to the latest version, you can use application audit .

Q.     Should I use interzone block or audit block to block applications?

A.     Use audit block to block specific behaviors of applications, and use interzone block to block all behaviors of applications.

Q.     What is the defect of audit block?

A.     After a WeChat or QQ account logs in, audit block cannot block text or voice messages, because the login flow, text flow, and voice flow belong to the same persistent connection.

Q.     What are the two match modes for audit rules?

A.     The following rule match modes are available:

·     In-order: The device compares packets with audit rules in ascending order of rule ID. When a packet matches a rule, the device stops the match process and performs the action defined in the rule.

·     All: The device compares packets with audit rules in ascending order of rule ID.
If a packet matches a rule with the permit action, all subsequent rules continue to be matched.
If a packet matches a rule with the deny action, the device stops the match process and performs the deny action. The device takes the action with higher priority on matching packets. The deny action has higher priority than the permit action.

Q.     How many keyword groups can be specified for an audit rule?

A.     A maximum of 64 keyword groups can be specified for an audit rule.