Applications
What Are Applications?
Applications are the first consideration when Shield applies policy to a connection. They allow Rules to determine the source of the data and apply the correct behavior.
The Applications page in the Admin Console lists all defined applications and basic details about each one.
Application Components
Each Application consists of the following:
-
Name (required)
A unique identifier used in rule creation and displayed in activity logs. -
Description (optional)
Free-form text to provide context, documentation, or notes for future reference. -
Definitions (required, one or more)
Rules that determine how Shield recognizes the application from the traffic.
Creating a New Application
To define a new application:
- Click Add New Application in the upper-right corner.
- In the slide-out panel, enter the Name and optional Description.
- Add one or more Definitions by clicking on the
Addbutton below the Definitions table. See below for definition details. - Click Save to finalize the application.
Editing or Deleting an Application
To Edit:
- Hover over the application name.
- Click the three-dot menu and choose Edit.
- Modify values as needed and click Save.
- Individual Definitions can be edited using their own three-dot menu.
To Delete:
- Hover over the application name.
- Click the three-dot menu and choose Delete.
Application Definitions
To identify which application a connection belongs to, Shield analyzes the browser request URL. Each definition type targets a specific part of the URL.
Available Definition Types
| Type | Description |
|---|---|
| Domain | Matches the domain portion of the URL. E.g., "company.com" matches both https://www.company.com and https://app.company.com. |
| Hostname | Matches the full hostname. E.g., "app.company.com" matches https://app.company.com but not https://www.company.com. |
| Full URL | Matches the entire URL. Full URL is unlikely to be useful by itself, but can be used to fine tune an Application Definition using the advanced settings (see below) |
| Path | Matches folders or subfolders in the URL. |
| Query String | Matches anything after a ? in the URL. |
| Object Part | Matches the object being requested, regardless of host or path. |
| Regex | Allows full use of regular expressions to allow for very fine grained control over URL matching. |
Wildcard Usage in Definitions
All definition types support the use of wildcards (*) for flexible matching.
Examples
-
Domain:
"*company.com"matcheswww.company.com,www.my-company.com,www.your-company.com. -
Hostname:
"server*.company.com"matchesserver1.company.comandserver2.company.com, but notwww.company.com. -
Object:
"*.jpg"can be used to exclude images (when used with bypass). -
Query String:
"data="matches any URL query that includesdata=, regardless of what follows.
Advanced Options
By default, each Definition is a matching rule. Advanced Settings can be used to change this to bypass, or add fine-grained control to exactly which transactions will be affected.
-
Behavior:
AMatchrule means that policy will be applied to these Definitions. ABypassrule means that policy will not be applied.- Example: a domain match definition for
company.comcould be combined with a hostname bypass definition forblog.company.comto avoid applying rules to the blog section of an App.
- Example: a domain match definition for
-
Method:
Used to restrict which HTTP Methods will be matched or bypassed. Select as many as needed. Selecting none will match all methods. -
Content Type:
Used to restrict the filter to requests with a specific Content-Type header. Runningcontent type detection, Shield will attempt to infer the content type dynamically based on the payload itself, even if theContent-Typeheader is incorrect or missing.- Example: if a server sends a JSON payload but uses
Content-Type: text/html, enabling this option allows the filter to still detect and match it correctly.
- Example: if a server sends a JSON payload but uses
Advanced Settings Summary
| Field | Type | Description |
|---|---|---|
| Behaviour | Enum (Match, Bypass) |
Defines whether this is a matching or exclusion rule |
| Method | Multi-select (HTTP verbs) | Filters requests based on HTTP method |
| Content Type | Multi-select (MIME types) | Filters requests based on Content-Type header |
| Run Content-Type Detection | Checkbox | Dynamically detect actual content type, useful when headers are wrong or missing |
Summary
Applications serve as the first layer of policy evaluation. By accurately identifying the application associated with a connection, Shield ensures that the correct masking or access rules are applied.