Fortinet white logo
Fortinet white logo

Application firewall

Application firewall

The <firewall> </firewall> XML tags contain application firewall configuration data. The set of elements consists of two sections:

Section

Description

General options

Options that apply to all application firewall activities.

Profiles

Defines applications and the actions to apply to them.

<forticlient_configuration>

<firewall>

<enabled>1</enabled>

<app_enabled>1</app_enabled>

<enable_exploit_signatures>0</enable_exploit_signatures>

<candc_enabled>1</candc_enabled>

<current_profile>0</current_profile>

<default_action>Pass</default_action>

<show_bubble_notifications>0</show_bubble_notifications>

<max_violations>250</max_violations>

<max_violations_age>7</max_violations_age>

<bypass_3rd_party_packets>0</bypass_3rd_party_packets>

<profiles>

<profile>

<id>1000</id>

<rules>

<rule>

<enabled>1</enabled>

<action>Block</action>

<compliance>1</compliance>

<application>

<id>34038,34039</id>

</application>

</rule>

<rule>

<action>Block</action>

<compliance>1</compliance>

<enabled>1</enabled>

<category>

<id>8</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>1</compliance>

<enabled>1</enabled>

<category>

<id>7,19,29</id>

</category>

</rule>

<rule>

<action>Block</action>

<compliance>0</compliance>

<enabled>1</enabled>

<category>

<id>1,2,3</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>0</compliance>

<enabled>1</enabled>

<category>

<id>All</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>0</compliance>

<enabled>1</enabled>

<application>

<id>0</id>

</application>

</rule>

</rules>

</profile>

</profiles>

</firewall>

</forticlient_configuration>

The following table provides the XML tags for application firewall, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable application firewall.

Boolean value: [0 | 1]

1

<app_enabled>

Enable application firewall.

Boolean value: [0 | 1]

<enable_exploit_signatures>

Enable detection of evasive exploits.

Boolean value: [0 | 1]

0

<candc_enabled>

Enable detection of a connection to a botnet command and control server. If Block Known Communication Channels Used by Attackers is enabled on the Malware Protection profile and this option is disabled, Block Known Communication Channels Used by Attackers takes precedence and FortiClient enables Command and Control detection.

Boolean value: [0 | 1]

<current_profile>

Currently selected profile ID.

<default_action>

Action to enforce on traffic that does not match any of the profiles defined. Enter one of the following:

  • block
  • reset
  • pass

pass

<show_bubble_notifications>

Display a bubble message each time FortiClient blocks an application for matching a profile.

Boolean value: [0 | 1]

<max_violations>

Maximum number of violations stored at any one time.

A number from 250 to 5000

5000

<max_violation_age>

Maximum age in days of a violation record before it is culled.

A number from 1 to 90.

90

<bypass_3rd_party_packets>

Enable bypassing packets that third party applications generate.

Boolean value: [0 | 1]

0

The <profiles> tag may contain one or more <profile> tags, each of which has a <rules> element. The <rules> element may, itself, have zero or more <rule> tags.

The following filter elements may be used to define applications in a <rule> tag:

<category>

<vendor>

<behavior>

<technology>

<protocol>

<application>

<popularity>

If the <application> element is present, all other sibling elements (listed above) are ignored. If it is not, a given application must match all of the provided filters to trigger the rule.

Each of these seven elements is a container for the tag: <ids>, which is a list of the identifiers (numbers) selected for that particular filter. The full <firewall> profile listed at the beginning of this section shows several examples of the use of filters within the <rule> element. Using an <ids> value all selects all matching applications.

The following table provides profile element XML tags, the description, and the default value (where applicable).

XML tag

Description

Default value

<profile> element

<id>

Unique ID. A unique ID number.

<profile><rules><rule> elements

<action>

Action to enforce on traffic that matches this rule. Select one of the following:

  • block
  • reset
  • pass

<compliance>

Specifies whether the rule is a compliance or regular rule. When set to 1, this is a compliance rule. When set to 0 or the tag does not exist, this is a FortiClient profile rule. For more information, see the FortiClient Administration Guide.

Boolean value: [0 | 1]

<enabled>

Enable this rule.

Boolean value: [0 | 1]

1

<category>

Application categories to apply <action> on.

csv list

<vendor>

Application vendors to apply <action> on.

csv list

<behavior>

Application behavior to apply <action> on.

csv list

<technology>

Technologies used by the applications to apply <action> on.

csv list

<protocol>

Protocols used by the applications to apply <action> on.

csv list

<application>

Identifiers (IDs) of the applications to apply <action> on.

csv list

<popularity>

Popularity of the applications to apply <action> on.

csv list

Rule example

In the following example, FortiClient uses the first rule and the second rule as a FortiClient profile rule:

<rules>

<rule>

<enabled>1</enabled>

<action>block | warn | monitor</action>

<compliance>1</compliance>

<filter>

<application>

<ids>36373</ids>

</application>

</filter>

</rule>

<rule>

<enabled>1</enabled>

<action>block | warn | monitor</action>

<filter>

<category>

<ids>1</ids>

</category>

</filter>

</rule>

</rules>

Application firewall

Application firewall

The <firewall> </firewall> XML tags contain application firewall configuration data. The set of elements consists of two sections:

Section

Description

General options

Options that apply to all application firewall activities.

Profiles

Defines applications and the actions to apply to them.

<forticlient_configuration>

<firewall>

<enabled>1</enabled>

<app_enabled>1</app_enabled>

<enable_exploit_signatures>0</enable_exploit_signatures>

<candc_enabled>1</candc_enabled>

<current_profile>0</current_profile>

<default_action>Pass</default_action>

<show_bubble_notifications>0</show_bubble_notifications>

<max_violations>250</max_violations>

<max_violations_age>7</max_violations_age>

<bypass_3rd_party_packets>0</bypass_3rd_party_packets>

<profiles>

<profile>

<id>1000</id>

<rules>

<rule>

<enabled>1</enabled>

<action>Block</action>

<compliance>1</compliance>

<application>

<id>34038,34039</id>

</application>

</rule>

<rule>

<action>Block</action>

<compliance>1</compliance>

<enabled>1</enabled>

<category>

<id>8</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>1</compliance>

<enabled>1</enabled>

<category>

<id>7,19,29</id>

</category>

</rule>

<rule>

<action>Block</action>

<compliance>0</compliance>

<enabled>1</enabled>

<category>

<id>1,2,3</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>0</compliance>

<enabled>1</enabled>

<category>

<id>All</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>0</compliance>

<enabled>1</enabled>

<application>

<id>0</id>

</application>

</rule>

</rules>

</profile>

</profiles>

</firewall>

</forticlient_configuration>

The following table provides the XML tags for application firewall, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable application firewall.

Boolean value: [0 | 1]

1

<app_enabled>

Enable application firewall.

Boolean value: [0 | 1]

<enable_exploit_signatures>

Enable detection of evasive exploits.

Boolean value: [0 | 1]

0

<candc_enabled>

Enable detection of a connection to a botnet command and control server. If Block Known Communication Channels Used by Attackers is enabled on the Malware Protection profile and this option is disabled, Block Known Communication Channels Used by Attackers takes precedence and FortiClient enables Command and Control detection.

Boolean value: [0 | 1]

<current_profile>

Currently selected profile ID.

<default_action>

Action to enforce on traffic that does not match any of the profiles defined. Enter one of the following:

  • block
  • reset
  • pass

pass

<show_bubble_notifications>

Display a bubble message each time FortiClient blocks an application for matching a profile.

Boolean value: [0 | 1]

<max_violations>

Maximum number of violations stored at any one time.

A number from 250 to 5000

5000

<max_violation_age>

Maximum age in days of a violation record before it is culled.

A number from 1 to 90.

90

<bypass_3rd_party_packets>

Enable bypassing packets that third party applications generate.

Boolean value: [0 | 1]

0

The <profiles> tag may contain one or more <profile> tags, each of which has a <rules> element. The <rules> element may, itself, have zero or more <rule> tags.

The following filter elements may be used to define applications in a <rule> tag:

<category>

<vendor>

<behavior>

<technology>

<protocol>

<application>

<popularity>

If the <application> element is present, all other sibling elements (listed above) are ignored. If it is not, a given application must match all of the provided filters to trigger the rule.

Each of these seven elements is a container for the tag: <ids>, which is a list of the identifiers (numbers) selected for that particular filter. The full <firewall> profile listed at the beginning of this section shows several examples of the use of filters within the <rule> element. Using an <ids> value all selects all matching applications.

The following table provides profile element XML tags, the description, and the default value (where applicable).

XML tag

Description

Default value

<profile> element

<id>

Unique ID. A unique ID number.

<profile><rules><rule> elements

<action>

Action to enforce on traffic that matches this rule. Select one of the following:

  • block
  • reset
  • pass

<compliance>

Specifies whether the rule is a compliance or regular rule. When set to 1, this is a compliance rule. When set to 0 or the tag does not exist, this is a FortiClient profile rule. For more information, see the FortiClient Administration Guide.

Boolean value: [0 | 1]

<enabled>

Enable this rule.

Boolean value: [0 | 1]

1

<category>

Application categories to apply <action> on.

csv list

<vendor>

Application vendors to apply <action> on.

csv list

<behavior>

Application behavior to apply <action> on.

csv list

<technology>

Technologies used by the applications to apply <action> on.

csv list

<protocol>

Protocols used by the applications to apply <action> on.

csv list

<application>

Identifiers (IDs) of the applications to apply <action> on.

csv list

<popularity>

Popularity of the applications to apply <action> on.

csv list

Rule example

In the following example, FortiClient uses the first rule and the second rule as a FortiClient profile rule:

<rules>

<rule>

<enabled>1</enabled>

<action>block | warn | monitor</action>

<compliance>1</compliance>

<filter>

<application>

<ids>36373</ids>

</application>

</filter>

</rule>

<rule>

<enabled>1</enabled>

<action>block | warn | monitor</action>

<filter>

<category>

<ids>1</ids>

</category>

</filter>

</rule>

</rules>