AppCtrl basic category filters and overrides

AppCtrl basic category filters and overrides

Once you have created an application sensor, you can define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides.

  • Categories: Choose groups of signatures based on a category type. l Application overrides: Choose individual applications. l Filter overrides: Select groups of applications and override the application signature settings for them.

Categories

Categories allow you to choose groups of signatures based on a category type.

Applications belonging to the category trigger the action set to the category.

To set category filters in the CLI:

config application list edit {id} config entries edit 1 set category {id}

 ID Select Category ID
 2  P2P
 3  VoIP
 5  Video/Audio
 6  Proxy
 7  Remote.Access
 8  Game
 12 General.Interest
 15 Network.Service
 17 Update
 21 Email
 22 Storage.Backup
 23 Social.Media
 25 Web.Client
 26 Industrial
 28 Collaboration
 29 Business
 30 Cloud.IT
 31 Mobile
set action {pass | block | reset}

pass      Pass or allow matching traffic.  block Block or drop matching traffic.

reset Reset sessions for matching traffic.

set log {enable | disable} next

end

next

end

To set category filters in the GUI:

  1. Go to Security Profiles > Application Control.
  2. Under Categories, left click the icon next to the category name to view a dropdown of actions:

l Allow l Monitor l Block l Quarantine l View signatures

  1. Select OK.

Application and filter overrides

Override type Setting
Application Type: Choose Application for application overrides.
Action: Can be set to Monitor/Allow/Block/Quarantine.
Application: Multiple app signatures can be added for one entry. A slide-in presenting an application list will be shown to select specific app signatures, and the search box can be used to filter matched signatures.
Filter Type: Choose Filter for filter overrides.
Action: Can be set to Monitor/Allow/Block/Quarantine.
Filter: Filters can be selected by behavior, application category, technology, popularity, protocol, risk, or vendor subtypes.
Search box: Can be used to determine if the input signature is included in selected filters, where matched applications are shown at the bottom.

To set overrides in the CLI:

config application list     edit {id}

config entries

edit 1 set protocols {0-47} #network protocol ID

set risk {id}

*level Risk, or impact, of allowing traffic from this application to

occur (1 – 5; Low, Elevated, Medium, High, and Critical).

set vendor {0-25}       #vendor ID

set technology {id}

All         All

  • Network-Protocol
  • Browser-Based
  • Client-Server

4           Peer-to-Peer

set behavior {id}

All         All

  • Botnet
  • Evasive
  • Excessive-Bandwidth
  • Tunneling

9           Cloud

set popularity {1-5} #Popularity level 1-5

set action {pass | block | reset}

pass    Pass or allow matching traffic.

block   Block or drop matching traffic.

reset   Reset sessions for matching traffic.

set log {enable | disable}

next

end     next end

To set overrides in the GUI:

  1. Go to Security Profiles > Application Control.
  2. Under the Application and FilterOverrides table, click Create New.
  3. To add individual applications:
    1. Select Application as the Type.
    2. Choose an action to be associated with the application.
    3. Select the + button in the Application field and choose the specific applications from the list where app signatures are displayed. Multiple applications may be selected.
    4. Select OK.
  4. To add advanced filters:
    1. Create another entry in the Application and FilterOverrides
    2. Select Filter as the Type.
    3. Select Cloud under the behavior section from the Select Entries Matched signatures are shown along the bottom.
    4. Select OK.
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.