Application firewall
The <firewall> </firewall>
XML tags contain application firewall configuration data. The set of elements consists of two sections:
Section |
Description |
---|---|
General options |
Options that apply to all application firewall activities. |
Profiles |
Defines applications and the actions to apply to them. |
<forticlient_configuration>
<firewall>
<enabled>1</enabled>
<app_enabled>1</app_enabled>
<enable_exploit_signatures>0</enable_exploit_signatures>
<candc_enabled>1</candc_enabled>
<current_profile>0</current_profile>
<default_action>Pass</default_action>
<show_bubble_notifications>0</show_bubble_notifications>
<max_violations>250</max_violations>
<max_violations_age>7</max_violations_age>
<bypass_3rd_party_packets>0</bypass_3rd_party_packets>
<profiles>
<profile>
<id>1000</id>
<rules>
<rule>
<enabled>1</enabled>
<action>Block</action>
<compliance>1</compliance>
<application>
<id>34038,34039</id>
</application>
</rule>
<rule>
<action>Block</action>
<compliance>1</compliance>
<enabled>1</enabled>
<category>
<id>8</id>
</category>
</rule>
<rule>
<action>Pass</action>
<compliance>1</compliance>
<enabled>1</enabled>
<category>
<id>7,19,29</id>
</category>
</rule>
<rule>
<action>Block</action>
<compliance>0</compliance>
<enabled>1</enabled>
<category>
<id>1,2,3</id>
</category>
</rule>
<rule>
<action>Pass</action>
<compliance>0</compliance>
<enabled>1</enabled>
<category>
<id>All</id>
</category>
</rule>
<rule>
<action>Pass</action>
<compliance>0</compliance>
<enabled>1</enabled>
<application>
<id>0</id>
</application>
</rule>
</rules>
</profile>
</profiles>
</firewall>
</forticlient_configuration>
The following table provides the XML tags for application firewall, as well as the descriptions and default values where applicable.
XML tag |
Description |
Default value |
---|---|---|
<enabled> |
Enable application firewall. Boolean value: |
1 |
<app_enabled> |
Enable application firewall. Boolean value: |
|
<enable_exploit_signatures> |
Enable detection of evasive exploits. Boolean value: |
0 |
<candc_enabled> |
Enable detection of a connection to a botnet command and control server. Boolean value: |
|
<current_profile> |
Currently selected profile ID. |
|
<default_action> |
Action to enforce on traffic that does not match any of the profiles defined. Enter one of the following:
|
pass |
<show_bubble_notifications> |
Display a bubble message each time FortiClient blocks an application for matching a profile. Boolean value: |
|
<max_violations> |
Maximum number of violations stored at any one time. A number from 250 to 5000 |
5000 |
<max_violation_age> |
Maximum age in days of a violation record before it is culled. A number from 1 to 90. |
90 |
<bypass_3rd_party_packets> |
Enable bypassing packets that third party applications generate. Boolean value: |
0 |
The <profiles>
tag may contain one or more <profile>
tags, each of which has a <rules>
element. The <rules>
element may, itself, have zero or more <rule>
tags.
The following filter elements may be used to define applications in a <rule>
tag:
<category>
<vendor>
<behavior>
<technology>
<protocol>
<application>
<popularity>
If the <application>
element is present, all other sibling elements (listed above) are ignored. If it is not, a given application must match all of the provided filters to trigger the rule.
Each of these seven elements is a container for the tag: <ids>
, which is a list of the identifiers (numbers) selected for that particular filter. The full <firewall>
profile listed at the beginning of this section shows several examples of the use of filters within the <rule>
element. Using an <ids>
value all selects all matching applications.
The following table provides profile element XML tags, the description, and the default value (where applicable).
XML tag |
Description |
Default value |
---|---|---|
|
||
<id> |
Unique ID. A unique ID number. |
|
|
||
<action> |
Action to enforce on traffic that matches this rule. Select one of the following:
|
|
<compliance> |
Specifies whether the rule is a compliance or regular rule. When set to Boolean value: |
|
<enabled> |
Enable this rule. Boolean value: |
1 |
<category> |
Application categories to apply |
csv list |
<vendor> |
Application vendors to apply |
csv list |
<behavior> |
Application behavior to apply |
csv list |
<technology> |
Technologies used by the applications to apply |
csv list |
<protocol> |
Protocols used by the applications to apply |
csv list |
<application> |
Identifiers (IDs) of the applications to apply |
csv list |
<popularity> |
Popularity of the applications to apply |
csv list |
Rule example
In the following example, FortiClient uses the first rule and the second rule as a FortiClient profile rule:
<rules>
<rule>
<enabled>1</enabled>
<action>block | warn | monitor</action>
<compliance>1</compliance>
<filter>
<application>
<ids>36373</ids>
</application>
</filter>
</rule>
<rule>
<enabled>1</enabled>
<action>block | warn | monitor</action>
<filter>
<category>
<ids>1</ids>
</category>
</filter>
</rule>
</rules>