FortiOS 6 – Application Control

Enabling application control in profile-based modes

Application control examines your network traffic for traffic generated by the applications you want it to control. The configuration steps outlined below are for FortiGate’s operating in proxy-based inspection and flow-based inspection with profile-based NGFW modes. For FortiGate’s operating in NGFW policy-based mode, see Enabling application control in NGFW policy-based mode.

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create an application sensor.
  2. Configure the sensor to include the signatures for the application traffic you want the FortiGate unit to detect.
  3. Enable any other applicable options.
  4. Enable application control in a security policy and select the application sensor.

Creating an application sensor

You need to create an application sensor before you can enable application control.

Enabling application control in profile-based modes

To create an application sensor

  1. Go to Security Profiles > Application Control.
  2. Select the Create New icon in the title bar of the Edit Application Sensor
  3. In the Name field, enter the name of the new application sensor.
  4. Optionally, enter descriptive Comments.

Adding applications to an application sensor

Once you have created an application sensor, you need to need to define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides. Categories will allow you to choose groups of signatures based on a category type. Application overrides allow you to choose individual applications. Filter overrides allow you to select groups of applications and override the application signature settings for them.

To add a category of signatures to the sensor.

  1. Go to Security Profiles > Application Control.
  2. Under Categories, you may select from the following:
    • Business l Cloud,.IT l Collaboration l Email l Game
    • Interest l Industrial l Mobile l Network.Service
    • P2P
    • Proxy l Access l Social.Media l Storage.Backup l Update l Video/Audio l VoIP l Web.Client l Unknown Applications

When selecting the category that you intend to work with, left click on the icon next to the category name to see a drop down menu that includes these actions:

  • Allow l Monitor l Block l Quarantine l View Signatures Enabling application control in profile-based modes

These actions are briefly defined under Application control actions on page 127.

  1. If you wish to add individual applications, select Add Signatures under Application Overrides.
    1. Use the Add Filter search field to narrow down the list of possible signatures by a series of attributes.
    2. When finished, select Use Selected Signatures.
  2. If you wish to add advanced filters, select Add Filter under Filter Overrides.
    1. Use the Add Filter search field to narrow down the list of possible filters by a series of attributes.
    2. When finished, select Use Filters.
    3. Select, if applicable, from the following options: l Allow and Log DNS Traffic

l Replacement Messages for HTTP-based Applications

  1. Select OK.

Applying the application sensor to a security policy

An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the application sensor in a security policy — GUI

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select a policy.
  3. Click the Edit
  4. Under the heading Security Profiles toggle the button next to Application Control to enable the feature.
  5. In the drop down menu field next to the Application Control select the application sensor you wish to apply to the policy.
  6. Select OK.

Creating a new custom application signature

If you have to deal with an application that is not already in the Application List you have the option to create a new application signature.

  1. Go to Security Profiles > Application Control.
  2. Select the link in the upper right corner, [View Application Signatures]
  3. Select the Create New icon
  4. Give the new signature a name (no spaces) in the Name
  5. Enter a brief description in the Comments field
  6. Enter the text for the signature in the signature field. Use the rules found under Custom IPS signature to determine syntax.
  7. Select

Application control actions

Messages in response to blocked applications

Once an Application Control sensor has been configured to block a specified application and applied to a policy it would seem inevitable that at some point an application will end up getting blocked, even if it is only to test the functionality of the control. When this happens, the sensor can be set to either display a message to offending user or to just block without any notification. The default setting is to display a message. Setting this up is done in the CLI.

config application list edit <name of the sensor> set app-replacemsg {enable | disable} end

When blocking applications, there is no replacement message for SSL traffic with certificate inspection applied.

When SSL deep inspection is enabled, a replacement message will appear depending on the protocol. For example, with HTTP2, the blocking is done in the SSL key exchange once the first server packet is delivered and replacement messages can not be displayed.

P2P application detection

P2P software tends to be evasive. You may be able to enhance P2P application detection by matching patterns found in the most recent three minutes of P2P traffic to determine if new traffic is P2P. Three minutes is the length of time information about matched P2P traffic remains in shared memory.

For example, the CLI commands below will result in the Intrusion Prevention System (IPS) looking for patterns formed by Skype traffic.

config application list edit <app_list_str> set p2p-black-list skype

end

end

Application control actions

Allow

This action allows the targeted traffic to continue on through the FortiGate unit.

 

considerations

Monitor

This action allows the targeted traffic to continue on through the FortiGate unit but logs the traffic for analysis.

Block

This action prevents all traffic from reaching the application and logs all occurrences.

Quarantine

This action allows you to quarantine or block access to an application for a specified duration that can be entered in days, hours, and minutes. The default is 5 minutes.

View Signatures

This option brings up a window that displays a list of the signatures with the following columns:

  • Name
  • Category l Technology – Technology is broken down into 3 technology models as well as the more basic Network-Protocol which would can be used as a catch all for anything not covered by the more narrowly defined technologies of:
  • Browser-Based l Client-Server l Peer-to-Peer
  • Popularity – Popularity is broken down into 5 levels of popularity represented by stars.
  • Risk – The Risk property does not indicate the level of risk but the type of impact that is likely to occur by allowing the traffic from that application to occur.

Traffic Shaping

Prior to the release of FortiOS 5.4.0, application control traffic shaping was configured in the Security Profiles >

Application Control interface. There is now a specific section for traffic shaping policies in Policy & Objects > Traffic Shaping Policy. See Traffic shaping methods in the chapter on Traffic Shaping for details

2 thoughts on “FortiOS 6 – Application Control

  1. Paweł

    How to effectively block access to the internet, but allowing access to Windows updates. ?
    This solution : …configuring application control to allow only automatic software updates to access the Internet. – DONT WORK – Microsoft needed HTTPS Browser allow to get updates but then you can launch any website 🙂

    Reply
  2. Huey

    Hi Mike,

    If I set a category to monitor, what extra information do I get? Where is the additional information/analysis stored? Does it get stored on the FAZ if I am logging to FAZ? So many questions about the “Monitor” setting…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.