Application control examples

The scenarios below provide a better understanding of how to implement Application Control and give some ideas as to why it would be used.

l Blocking instant messaging l Allowing only software updates l Blocking Windows XP with a custom signature examples

Blocking instant messaging

Instant messaging use is not permitted at the Example Corporation. Application control helps enforce this policy.

The configuration steps outlined below are for FortiGate’s operating in proxy-based inspection and flow-based inspection with profile-based NGFW modes. For FortiGate’s operating in NGFW policy-based mode, see Enabling application control in NGFW policy-based mode.

Steps in this process

1. First you will create an application sensor with a single entry that monitors the category that includes instant messaging applications. You will set the list action to Monitor.
2. Next you will assign the sensor to a policy.
3. Then you will identify the IM applications being used on your network and modify the application sensor to Block use of those messaging applications

To create the application sensor

1. Go to Security Profiles > Application Control.
2. Select the Create New icon in the title bar of the Edit Application Sensor
3. In the Name field, enter no_IM for the application sensor name.
4. If the Collaboration category is not already set to Monitor, then left-click on the icon next to that category and select Monitor from the dropdown menu.
5. Select OK to save the new sensor.

To enable application control and select the application sensor

1. Go to Policy & Objects > IPv4 Policy.
2. Select the security policy that allows the network users to access the Internet and choose Edit.
3. Under the heading Security Profiles toggle the button next to Application Control to turn it on.
4. In the drop down menu field next to the Application Control select the no_IM application sensor.
5. To inspect all traffic, SSL/SSH inspection must be set to deep-inspection
6. Select OK.

To identify IM applications in use on your network

1. Go to FortiView > Applications.
2. Select a time period from the options in the upper-right corner of the window and examine the list of applications.
3. Identify any IM applications you wish to block.

To block IM applications in use on your network

1. Go to Security Profiles > Application Control and edit the no_IM application sensor.
2. Under Application Overrides, click on Add Signatures.
3. Filter by Name and select the IM applications you wish to block.
4. Click on Use Selected Signatures.

The selected application will appear under Application Overrides and the action will be set to Block.

5. Select Apply.

Application control examples

The IM applications identified will be blocked by the security policy that has the no IM application sensor applied to it. If other firewall policies handle traffic that users could use for applications in the same category, enable application control with the no IM application sensor for those policies as well.

Allowing only software updates

Some departments at Example Corporation do not require access to the Internet to perform their duties. Management therefore decided to block their Internet access. Software updates quickly became an issue because automatic updates will not function without Internet access and manual application of updates is timeconsuming.

The solution is configuring application control to allow only automatic software updates to access the Internet.

The configuration steps outlined below are for FortiGate’s operating in proxy-based inspection and flow-based inspection with profile-based NGFW modes. For FortiGate’s operating in NGFW policy-based mode, see Enabling application control in NGFW policy-based mode.

To create an application sensor — GUI

1. Go to Security Profiles > Application Control.
2. Select the Create New icon in the title bar of the Edit Application Sensor
3. In the Name field, enter Updates_Only as the application sensor name.
4. Using the left-click and drop down on the items in the Category
   1. Select Monitor from the dropdown menu.
   2. Select Block for the rest of the categories.
5. Select OK.

To create an application sensor — CLI

config application list edit Updates_Only config entries edit 1 set category 17 set action pass

end

set other-application-action block set unknown-application-action block

end

You will notice that there are some differences in the naming convention between the GUI and the CLI. For instance the Action in the CLI is “pass” and the Action in the GUI is “Monitor”.

Selecting the application sensor in a security policy

An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

examples

To select the application sensor in a security policy — GUI

1. Go to Policy & Objects > IPv4 Policy.
2. Select a policy.
3. Select the Edit
4. Under the heading Security Profiles toggle the button next to Application Control to turn it on.
5. In the drop down menu field next to the Application Control select the Updates_only
6. Select OK.

To select the application sensor in a security policy — CLI

config firewall policy edit 1 set utm-status enable set profile-protocol-options default set application-list Updates_Only

end

Traffic handled by the security policy you modified will be scanned for application traffic. Software updates are permitted and all other application traffic is blocked.

Blocking Windows XP with a custom signature

In this example, you will use application control to block web traffic from PCs running Windows operating systems NT 5, including Windows XP and Windows Server 2003 (includes Windows virtual machines).

When a computer’s operating system lacks vendor support, it becomes a threat to the network because newly discovered exploits will not be patched. Using the FortiGate application control feature, you can restrict these computers from accessing external resources.

This example will only block web traffic from computers running the affected operating systems. If you wish to block these computers from being on the network entirely, further action will be necessary. However, the logs generated can be used to identify the computers you wish to block.

1. Go to System > Feature Select. Enable Application Control and Apply your changes.
2. Go to Security Profiles > Application Control and select View Application Signatures.
3. Create a new signature with the syntax below. You can copy and paste the text into the Signature Name the signature Block-Windows-NT5.

F-SBID(–attack_id 8055;–vuln_id 8055;–name

“Windows.NT.5.Web.Surfing”;–flow from_client;–pattern !”FCT”;-pattern “Windows NT 5.”;–no_case;–context header;–weight 40;-service HTTP;–protocol tcp;–app_cat 25;–default_action drop_ session;)

If you do not include keyword / value pairs for –attack_id or –vuln_ID in the signature, the FortiGate will automatically assign values.

The signature will appear at the top of the application list and be listed in the Web.Client category.

4. Go to Security Profiles > Application Control and edit the default
5. Under Application Overrides, select Add Signatures. The new signature should appear at the top of the list. If it does not, search for the signature’s name.
6. Select the signature, then select Use Selected Signatures.

Application control examples

7. Go to Policy & Objects > IPv4 Policy and edit the policy that allows connections from the internal network to the Internet.
8. Under Security Profiles, turn on Application Control and use the default

Results

When a PC running one of the affected operating systems attempts to connect to the Internet using a browser, a blocked message appears. Because Application Control uses flow-based inspection, if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the replacement message. However, Application Control will still function.

PCs running other operating systems, including later versions of Windows, are not affected.

Go to FortiView > All Sessions and select the 5 minutes view.

Filter the results to show sessions that were blocked.

You will see that the Application Control signature, shown in the Application Name column, was used to block traffic from PCs running older Windows versions.

For further reading, see Custom Application & IPS Signatures.