Application control
Using the application control Security Profile feature, your FortiGate unit can detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non-standard ports or protocols.
The FortiGate unit can recognize the network traffic generated by a large number of applications. You can create application control sensors that specify the action to take with the traffic of the applications you need to manage and the network on which they are active, and then add application control sensors to the firewall policies that control the network traffic you need to monitor.
Fortinet is constantly increasing the list of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.
You can find the version of the application control database that is installed on your unit, by going to the License Information dashboard widget and find IPS Definitions version.
You can go to the FortiGuard Application Control List to see the complete list of applications supported by FortiGuard. This web page lists all of the supported applications. You can select any application name to see details about the application.
If you enable virtual domains (VDOMs) on the Fortinet unit, you need to configure application control separately for each virtual domain.
The following topics are included in this section:
- Application control concepts
- Application considerations
- Application traffic shaping
- Application control monitor
- Enable application control
- Application control examples
Application control concepts
You can control network traffic generally by the source or destination address, or by the port, the quantity or similar attributes of the traffic itself in the security policy. If you want to control the flow of traffic from a specific application, these methods may not be sufficient to precisely define the traffic. To address this problem, the application control feature examines the traffic itself for signatures unique to the application generating it. Application control does not require knowledge of any server addresses or ports. The FortiGate unit includes signatures for over 1000 applications, services, and protocols.
Updated and new application signatures are delivered to your FortiGate unit as part of your
FortiGuard Application Control Service subscription. Fortinet is constantly increasing the
Page 143
number of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.
To view the version of the application control database installed on your FortiGate unit, go to the License Information dashboard widget and find the IPS Definitions version.
To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard Application Control List. This web page lists all of the supported applications. You can select any application name to see details about the application.
Application considerations
Some applications behave differently from most others. You should be aware of these differences before using application control to regulate their use.
Automatically allowing basic applications
A common practice is to block applications by category, because the alternative is to list each specific traffic on an individual basis. While listing the applications individually gives a great deal of granularity it does tend to allow for missing some of them. On the other hand, blocking by category has the drawback of blocking some traffic that was not intended to be blocked.
There are a number of basic applications that you may want to be allowed on a default basis. For example, DNS. If you were to block the category Network Services you would end up blocking your web browsing, unless your users are members of a very limited group that do their web browsing by using IP addresses instead of URLs. Without DNS the systems will not be able to resolve URLs into IP addresses.
Using a set of options in the CLI the FortiGate unit can be configured to automatically allow the following types of traffic, regardless of whether or not their category is blocked:
- DNS
- ICMP
- Generic HTTP Web browsing
- Generic SSL communications
Syntax
config application list edit appcontrol set options allow-dns allow-icmp allow-http allow-ssl
end
As the example indicates, DNS is vitally important to multiple other types of traffic so by default it is set to be allowed, however the other settings must be specifically enabled.
IM applications
The Application Control function for a number of IM application is not in the Web Based Manager, in the CLI of the FortiGate unit. These applications are:
- AIM
- ICQ
- MSN
- Yahoo
These applications are controlled by either permitting or denying the users from logging in to the service. Individual IM accounts are configured as to whether or not they are permitted and then there is a global policy for how to action unknown users, by the application, and whether to add the user to the black list or the white list.
The configuration details for these settings can be found in the CLI Reference guide under the heading of imp2p.
Skype
Based on the NAT firewall type, Skype takes advantage of several NAT firewall traversal methods, such as STUN (Simple Traversal of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT), to make the connection.
The Skype client may try to log in with either UDP or TCP, on different ports, especially well-known service ports, such as HTTP (80) and HTTPS (443), because these ports are normally allowed in firewall settings. A client who has previously logged in successfully could start with the known good approach, then fall back on another approach if the known one fails.
The Skype client could also employ Connection Relay. This means if a reachable host is already connected to the Skype network, other clients can connect through this host. This makes any connected host not only a client but also a relay server.