Application Visibility (DPI)
You can monitor and/or block specific application traffic in your network. FortiWLC (SD) can monitor and restrict access applications/services, as listed in the Configuration > Access Control > Application
Limitations and Recommendations
- To export DPI status to an FortiWLM server, the export destination port must be set to 4739.
- If the total number of ESS profiles and the total number APs in the controller are the maximum allowed, then a policy cannot be created. When configuring each policy:
- The total number of ESS that can be applied to is 64. Tip: To support this maximum, ensure that an ESS name is 15 characters or less.
- The total number APs that can be applied are 186. To support this maximum, the AP IDs need to between the 1 to 500 AP ID range. Tip: to maximize the coverage of APs, you can create AP groups and use this instead of listing individual APs.
- Bittorent downloads can be monitored but cannot be blocked.
- In a custom app, Bittorent traffic cannot be monitored or blocked.
- Advanced detection of sub-protocol traffic is a resource intensive task, so we recommend that you use it in moderation.
- It is recommended that you do not delete custom application (under the Settings > Custom Application tab in Application). Deleting a custom application can result in incorrect status display of top 10 applications in the dashboard.
- A custom application is by default monitored even if it is not mapped to a policy. But for it to be blocked, it must be added to a policy
- Setting up application monitoring or blocking requires you to enable DPI and creating appropriate policies.
To set up and use the application monitoring:
- Enable Application Visibility
- Create Policies
- Associate system defined and/or custom applications to policies
Enable Application Visibility
To enable DPI, go to Configuration > Applications > Settings tab
- Select ON for Enable Application Classification. This is a global settings and enables DPI on all APs.
- Export Interval is a non-configurable field that set at 90 seconds.
- Export Destination: Specify or edit (if automatically pushed by Network Manager) the IP address of the correct Network Manager server. This is used to export stats to Network Manager server
- To export values to Fortinet Network Manager, select Enable Netflow Export and specify the Fortinet Network Manger server IP (Export Destination).
Creating a Policy
You can create policies to monitor and block one or more application traffic. This can be done for one of the following condition:
- All ESS profiles
- Per ESS profile
- All APs
- Per AP
- Per AP Group
- ESS and AP Combination
Example
The following screen-shots illustrate the procedure to create a policy to block Yelp traffic by clients that are connected to sdpi-832-t ESS profile via AP-3.
- Click the ADD button to view application lists
- Select the application from the list and click ADD button
- Select Block from the dropdown list and click SAVE button
List of policies
- Policy: The status of the policy
- Advanced Detection: Select enable to view sub-protocols for a system defined application and protocols.
- Application ID List: List of system defined application and /or custom applications that are blocked or monitored by the policy. Blocked applications are shown in red colour and applications that are only monitored are shown in green colour.
- ESSID List: The name of the ESS profile configured for this policy. Clients that connect using this ESSID profile and accessing the monitored application.
- AP Groups or APs: The list of APs that are configured for this policy. Clients that connected via these APs or AP groups and accessing the monitored application.
- Owner: The owner is either controller or NMS. If the policy is created in the controller the owner is listed as controller.
- Search: To locate a specific policy by Name, AP, ESS, or owner, enter the keyword in the search box and hit the Enter key. This will highlight the corresponding row that matches the keyword. To filter the display based on Status, select the status (from the dropdown) to highlight the corresponding rows.
- Policy Reordering: Policies are executed in the order they are displayed. To reorder policy priority, click the Reorder button and use the arrows in the action column to move them up or down the listing order. You must save this for the reorder changes to take effect.
In the following illustration, the ESSID MTS and APID AP-8 appear in both corporate-1 and corporate-2 policies. The corporate-1 policy allows Facebook traffic and corporate-2 blocks Facebook traffic. Since corporate-1 is higher in the order than corporate-2, Facebook will be allowed and not blocked. However, for AP-10 Facebook will be blocked as per corporate-2 policy.
Custom Applications
Custom applications are user-defined applications that are not part of the system defined applications. You can add a maximum of 32 applications in the controller and a maximum of 32 applications on Network Manager.
A custom application is a combination of one or more of the following:
- Predefined L4 and L7 protocols
- Source and/or Destination Ports
- User Agents
- Any HTTP/HTTPS URL
- Destination IP
Creating a Custom Application and assigning it to a Policy
- To create a custom application, go to Application > Settings > Custom Applications and click the Add
- Enter properties for the custom application and click Save. In this simple example, traffic from www.bbc.com will be monitored.
- Add custom application to a policy. Use the same steps mentioned in See “Example” on page 408. But in the sub-step 4 of the figure, scroll down to very end to location the custom application. Select the custom application and then select policy setting.
DPI Dashboard
The DPI dashboard shows applications that are configured for monitoring (detect) only. Applications that are blocked are not displayed in the dashboard as they are dropped by the AP.
- The graph displays a pie chart with the top 10 applications (by usage) that are monitored.
- The list of top 10 stations that are connected to one or more of the top 10 applications. This does not represent the usage of a specific application by the station.
- List of APs that are passing traffic for one or more of the top 10 applications
- List of ESS profiles that are passing traffic for one or more of the top 10 applications
- This table lists the top 10 application and displays numerical (integer) statistics about number of stations, ESS profiles, APs and traffic size in bytes.
- This table shows historical data for application traffic in the last 24 hours.
Using CLI
Creating a Policy
- In the config mode, use the app‐visibility‐policy <policy‐name> command.
- Enable the status using the state enable command
- Specify the application id and the policy type using appids <application‐ID>:<type> Use A, to allow and monitor the traffic usage
- In a single policy you can add rules to monitor and block application traffic.
mc1500(15)(config)# app‐visibility‐policy CorpNet mc1500(15)(config‐app‐visibility‐policy)# description “” mc1500(15)(config‐app‐visibility‐policy)# state enable mc1500(15)(config‐app‐visibility‐policy)# appids 6:B mc1500(15)(config‐app‐visibility‐policy)# essids stability mc1500(15)(config‐app‐visibility‐policy)# apids “5:A” mc1500(15)(config‐app‐visibility‐policy)# owner controller mc1500(15)(config‐app‐visibility‐policy)# version 0 mc1500(15)(config‐app‐visibility‐policy)# exit
To View the list of policies and type configured for a specific AP, use the show applicationvisibility policy‐config‐service <app‐id> command.
mc1500(15)# show application‐visibility policy‐config‐service 5
AP ESSID APPID Action
5 1 2 Allow
5 1 5 Allow
5 1 6 Block
5 1 8 Allow
5 1 24 Allow
5 1 32 Allow
5 1 41 Allow
5 1 70 Allow
Application Visibility Policy Service(8)
Legends
Figure 71: DPI Config Option Legends
Label Description
- When used for an application, it means to allow, detect, and monitor the application traffic.
- Used to detect and block the application traffic
A When use as an AP-ID, refers to adding an individual AP.
L Used to add an ap-group to a policy.
Monitoring Policies
mc1500(15)# sh service‐summary Application‐Visibility
Feature Type Name Value ValueStr
Application‐Visibility Application myspace 100 {“util”:3006.76,”tx”:6943001576,”rx”:257651566}
Application‐Visibility Application amazon_cloud 0 {“util”:474.84,”tx”:1093389603,”rx”:43774451}
Application‐Visibility Application facebook 0 {“util”:184.00,”tx”:421673492,”rx”:18973696}
Application‐Visibility Application twitter 0 {“util”:164.58,”tx”:358628579,”rx”:35513363}
Application‐Visibility Application unknown 0 {“util”:97.92,”tx”:221291109,”rx”:13202213}
Application‐Visibility Application amazon_shop 0 {“util”:77.81,”tx”:162324404,”rx”:24026568}
Application‐Visibility Application linkedin 0
{“util”:48.60,”tx”:109814218,”rx”:6565367}
Application‐Visibility Application youtube 0 {“util”:
1.34,”tx”:2910287,”rx”:292302}
Application‐Visibility Station 58:94:6b:b5:ca:c4 100 {“util”:591.86,”tx”:1364192275,”rx”:53208638}
Application‐Visibility Station 00:27:10:cb:90:40 0 {“util”:571.51,”tx”:1317000065,”rx”:51657115}
Application‐Visibility Station 10:0b:a9:44:f6:ac 0
{“util”:297.04,”tx”:681777356,”rx”:29579769}
Application‐Visibility Station 24:77:03:80:4c:60 0 {“util”:294.30,”tx”:676177538,”rx”:28620457}
Application‐Visibility Station 84:3a:4b:48:1e:c0 0 {“util”:291.67,”tx”:668985331,”rx”:29513381}
Application‐Visibility Station 24:77:03:80:2e:48 0 {“util”:287.46,”tx”:660217415,”rx”:28188180}
Application‐Visibility Station 08:11:96:7d:cf:80 0 {“util”:286.78,”tx”:657504303,”rx”:29271859}
Application‐Visibility Station 24:77:03:80:a4:40 0 {“util”:281.94,”tx”:646183947,”rx”:29009375}
Application‐Visibility Station 24:77:03:80:5f:54 0 {“util”:280.23,”tx”:645624714,”rx”:25475052}
Application‐Visibility Station 24:77:03:85:b4:50 0 {“util”:279.89,”tx”:641592459,”rx”:28689908}
Application‐Visibility EssId stability 100 {“util”:4055.84,”tx”:9313033268,”rx”:399999526}
Application‐Visibility AP AP‐109 100 {“util”:4055.84,”tx”:9313033268,”rx”:399999526} Service Data Summary(20 entries) mc1500(15)# sh ap
ap ap‐certificate ap‐discovered ap‐onlinehistory ap‐reboot‐event ap‐redirect applicationvisibility
ap‐assigned ap‐connectivity ap‐neighbor ap‐rebootcount ap‐reboot‐top10 ap‐swap mc1500(15)# sh application‐visibility application‐summary
APPID Name Station Counts AP Counts ESS Counts Tx Bytes Rx Bytes TxRx Bytes
5 myspace 12 1 1 7274981850 269918317 7544900167
24 amazon_cloud 13 1 1 1149026229 45994062 1195020291
2 facebook 13 1 1 443832821 19962877 463795698
8 twitter 13 1 1 375850987 37259491 413110478
0 unknown 20 1 1 233565871 13899667 247465538
70 amazon_shop 13 1 1 170637983 25318821 195956804
41 linkedin 12 1 1 115430025 6896689 122326714
32 youtube 13 1 1 3022484 304784 3327268 Application Visibility Statistics Summary(8) mc1500(15)#
mc1500(15)# sh service‐summary‐trend Application‐Visibility
Feature Type Name StartTime
EndTime Value ValueStr
Application‐Visibility Application myspace 01/17/2009
01:00:00 01/17/2009 02:00:00 370191907
{“util”:254501.59,”tx”:3561906268,”rx”:140012805}
Application‐Visibility Application amazon_cloud 01/17/2009
01:00:00 01/17/2009 02:00:00 523131985
{“util”:35964.57,”tx”:502700232,”rx”:20431753}
Application‐Visibility Application twitter 01/17/2009
01:00:00 01/17/2009 02:00:00 221967525
{“util”:15259.95,”tx”:202733592,”rx”:19233933}
Application‐Visibility Application facebook 01/17/2009
01:00:00 01/17/2009 02:00:00 220636588
{“util”:15168.45,”tx”:210304218,”rx”:10332370}
Application‐Visibility Application unknown 01/17/2009
01:00:00 01/17/2009 02:00:00 113502079
{“util”:7803.10,”tx”:106412520,”rx”:7089559}
Application‐Visibility Application amazon_shop 01/17/2009
01:00:00 01/17/2009 02:00:00 106703142
{“util”:7335.69,”tx”:93322094,”rx”:13381048}
Application‐Visibility Application linkedin 01/17/2009
01:00:00 01/17/2009 02:00:00 58696435
{“util”:4035.30,”tx”:55165018,”rx”:3531417}
Application‐Visibility Application youtube 01/17/2009
01:00:00 01/17/2009 02:00:00 1454576
{“util”:100.00,”tx”:1315107,”rx”:139469}
Application‐Visibility Application myspace 01/17/2009
02:00:00 01/17/2009 03:00:00 781850640
{“util”:264335.11,”tx”:7508697893,”rx”:309808509}
Application‐Visibility Application amazon_cloud 01/17/2009
02:00:00 01/17/2009 03:00:00 112454581
{“util”:38019.66,”tx”:1078606475,”rx”:45939338}
Application‐Visibility Application facebook 01/17/2009
02:00:00 01/17/2009 03:00:00 472612999
{“util”:15978.53,”tx”:448955762,”rx”:23657237}
Application‐Visibility Application twitter 01/17/2009
02:00:00 01/17/2009 03:00:00 442033093
{“util”:14944.65,”tx”:401239344,”rx”:40793749}
Application‐Visibility Application amazon_shop 01/17/2009
02:00:00 01/17/2009 03:00:00 229558452
{“util”:7761.12,”tx”:202329371,”rx”:27229081}
Application‐Visibility Application unknown 01/17/2009
02:00:00 01/17/2009 03:00:00 215482783
{“util”:7285.24,”tx”:200402948,”rx”:15079835}
Application‐Visibility Application linkedin 01/17/2009
02:00:00 01/17/2009 03:00:00 125984872
{“util”:4259.41,”tx”:118235346,”rx”:7749526}
Application‐Visibility Application youtube 01/17/2009
02:00:00 01/17/2009 03:00:00 2957801
{“util”:100.00,”tx”:2659330,”rx”:298471}
Application‐Visibility Application myspace 01/17/2009
03:00:00 01/17/2009 04:00:00 859492100
{“util”:269614.13,”tx”:8269499897,”rx”:325421104}
Application‐Visibility Application amazon_cloud 01/17/2009
03:00:00 01/17/2009 04:00:00 116518953
{“util”:36550.84,”tx”:1119128571,”rx”:46060960}
Application‐Visibility Application facebook 01/17/2009
03:00:00 01/17/2009 04:00:00 461844358
{“util”:14487.60,”tx”:440897736,”rx”:20946622}
Application‐Visibility Application twitter 01/17/2009
03:00:00 01/17/2009 04:00:00 408573605
{“util”:12816.55,”tx”:369504893,”rx”:39068712}
Application‐Visibility Application unknown 01/17/2009
03:00:00 01/17/2009 04:00:00 237048541
{“util”:7435.98,”tx”:221824322,”rx”:15224219}
Application‐Visibility Application amazon_shop 01/17/2009
03:00:00 01/17/2009 04:00:00 204090068
{“util”:6402.10,”tx”:178965615,”rx”:25124453}
Application‐Visibility Application linkedin 01/17/2009
03:00:00 01/17/2009 04:00:00 121917540
{“util”:3824.43,”tx”:114827231,”rx”:7090309}
Application‐Visibility Application youtube 01/17/2009
03:00:00 01/17/2009 04:00:00 3187860
{“util”:100.00,”tx”:2879796,”rx”:308064}
Service Data Summary Trend(24 entries)
Additional capabilities in Application Visibility include the following:
- Blocked traffic statistics
- Support for wired clients using port profile
- Bandwidth throttling
- DSCP Markings
Blocked Statistics
The dashboard now provides detailed statistics on blocked traffic.
The BLOCKED APPLICATIONS section provides the following statistics:
- Application Name: The application traffic set to be blocked.
- # of Active Users: The number of users requesting access to the application.
- # of Active APs: The APs that block the traffic.
- # of ESSIDs / Port: The ESSID and Port profile connected to the wireless and wired clients.
- Utilization: Shows how much traffic is blocked.
Support for Wired Clients
You can add port profiles to enable adding wired clients to detect, block, or bandwidth control traffic. The new policy page is updated to list port profiles created in the controller. A policy can be created with a mix of both ESSID and Port Profiles or only with ESS profiles or only with port profiles. The following is an example to create a policy and view policy details for wired ports via CLI. default(15)# configure terminal default(15)(config)# default(15)(config)# app‐visibility‐policy wiredPorts default(15)(config‐app‐visibility‐policy)# default(15)(config‐app‐visibility‐policy)# port‐profiles wired‐profile default(15)(config‐app‐visibility‐policy)# state enable default(15)(config‐app‐visibility‐policy)# appids * default(15)(config‐app‐visibility‐policy)# advanced‐detection enable
You can use comma separated values to add multiple port profiles.
Example: default(15)(config‐app‐visibility‐policy)# port‐profiles wiredprofile,default
View Policy Details
default(15)# sh application‐visibility policy wiredPorts
Application Visibility Policy Policy Name : wiredPorts
Policy Order : 2
Description :
Policy : enable
Advanced Detection : enable
Bandwidth Limiting : disable
Application ID List : *
ESSID List :
AP Groups or APs :
Owner : controller Port Profile List : wired‐profile default(15)#
Bandwidth Throttling
You can enforce bandwidth usage limits on selected applications.
- To enable bandwidth throttle, create a policy and select Enable option for Bandwidth Limits.
- Select ESSID or Port Profile.
- Specify maximum bandwidth limits for clients and SSID/Port.
Minimum Maximum
Client 150 kbps 1 Gbps
ESSID / Port Profile 150 kbps 12 Gbps Limitations:
- Bandwidth throttle can be implemented on a maximum of 10 applications (individually or cumulatively across policies).
- When enabled the bandwidth throttling policy is applicable to all APs. AP and AP group selection is not available.
- The maximum bandwidth value configured for a client usage must be less than or equal to the value configured in ESSID or port traffic usage.
- Supported only for client traffic with tunnelled profile.
DSCP Markings
You can now add a DSCP value to application traffic (upstream: AP to controller and downstream: AP to station) to change its priority. The DSCP value for the selected application is used to mark the detected application traffic (to wireless or wired STA).
When a DSCP value is applied to application traffic, this value and the associated priority is maintained till the next node in the traffic. If the traffic carrying the DSCP value encounters a QoS-aware switch, then the DSCP value may be overridden by a QoS value specified by the switch.
In a downstream traffic, the DSCP value is applied by the controller before forwarding to the AP. This is supported for ESSID’s in tunnelled mode only.
NOTE: DSCP markings can be added to a maximum of 10 applications (includes all policies).
To assign DSCP value to application traffic, do the following:
- Go to Configuration > Access Control > Application > Policies tab.
- Click the Add button to add a new Policy.
In the new Policy enter the following details
- Name for the policy.
- Select Enable to activate the policy
- Select ESS profile
- Select AP or AP group
- Now click the add icon to view list of applications
- Selection applications to be marked with DSCP values
- For the listed application, you can specify individual DSCP values from the dropdown under DSCP Marking column.
Valid DSCP value strings
- af11
- af12 af13 • af21 • af22 • af23 • af31 • af32 • af33 • af41 • af42
- af43
- cs0 cs1 • cs2 • cs3 • cs4 • cs5 • cs6
- cs7
- no
- ef
For more details about DSCP values, see: https://tools.ietf.org/html/rfc4594
CLI Commands
To enable DSCP marking for downstream traffic, use the following command: default(15)(config)# app‐visibility‐config controller‐dscp‐marking‐state enable
The following command format configures DSCP marking and specifies bandwidth restrictions:
<app‐id>:A or B|C:<per‐client‐bw‐value>:<bw‐unit>|E:<per‐ess‐bw‐value>:<bwunit>|D:<dscp‐string>
- Application Id – <app-id:>
- Rule type (A- allow, B – block) – < A or B>
- Per client bandwidth limit – C:<bw-value>:<bw-unit> [Supported units K, M, G]
- Per ESSID bandwidth limit – E:<bw-value>:<bw-unit> [Supported units K, M, G]
- DSCP value – D:<dscp-value-string> [Supported values]
Example:
2:A|C:150:K|E:1:M|D:af11
The above command will allow traffic for application with id 2, limit bandwidth for client and ESS profile accessing this application traffic to 150 kilobits and 1 Megabits respectively, and set the DSCP for upstream traffic to af11.
Best Practices
The following is a recommended best practice while create application visibility policies. • While it is possible to create a single policy that can detect, block, or enforce bandwidth limits, it is recommended that you create individual policies that independently detect, block, or enforce bandwidth limits.
- Policies are prioritized in the following order
- Block
- Bandwidth Throttling
- Detect (General)