Product Pillars
Network Security
Network Security
NOC & SOC Management
Enterprise Networking
Business Communications
Zero Trust Access
ZTNA
SASE
Identity
Cloud Security
Hybrid Cloud Security
Cloud Native Protection
Web Application / API Protection
SAAS Security
Security Operations
SOC Platform
Advanced Threat Protection
Endpoint Security
Best Practices
Solution Hubs
Curated links by solution
Cloud
Popular Solutions
4-D Resources
Define, Design, Deploy, Demo
Hardware Guides
Product A-Z

Version:

6.0.0

Table of Contents

Use Case: FortiGate-VM on a Docker Environment

6.0.0
6.0.0
Copy Link

Overview

Unlike FortiWeb-VM, FortiGate-VM cannot be deployed as a Docker container. However, FortiGate-VM is capable of protecting various resources in the Docker environment. Some use cases are mentioned in this document.

The popularity of Docker has seen an increasing volume of activities of downloading and uploading Docker images and their manifests over internet. Since the majority of the Docker images in the public registries are vulnerable, it is important to ensure that images are downloaded only from a source where they have already been scanned for vulnerabilities. To help enforce this policy, FortiGate application control has added signatures for Docker traffic.

Application control signature

Description

Docker

Indicates an attempt to access Docker.

Docker_Pull.Blob

Indicates an attempt to pull a blob from Docker.

Docker_Push.Blob

Indicates an attempt to push a blob onto Docker.

Docker_Pull.Manifest

Indicates an attempt to pull a manifest from Docker.

Docker_Push.Manifest

Indicates an attempt to push a manifest onto Docker.

By updating the signature after initial FortiGate deployment, you should see the Docker-related application controls added.

You can configure firewall policies to allow pulls and pushes with known clean private Docker registries using their IPs (or IPs except for malicious and blacklisted ones) as either sources or destinations while having awareness of Docker-related application in traffic.

Apart from application control, FortiGate also scans all the traffic in the Docker environment for vulnerabilities and file-based threats using Intrusion Prevention Service (IPS) and Advanced Malware Protection (AMP).

Overview

Unlike FortiWeb-VM, FortiGate-VM cannot be deployed as a Docker container. However, FortiGate-VM is capable of protecting various resources in the Docker environment. Some use cases are mentioned in this document.

The popularity of Docker has seen an increasing volume of activities of downloading and uploading Docker images and their manifests over internet. Since the majority of the Docker images in the public registries are vulnerable, it is important to ensure that images are downloaded only from a source where they have already been scanned for vulnerabilities. To help enforce this policy, FortiGate application control has added signatures for Docker traffic.

Application control signature

Description

Docker

Indicates an attempt to access Docker.

Docker_Pull.Blob

Indicates an attempt to pull a blob from Docker.

Docker_Push.Blob

Indicates an attempt to push a blob onto Docker.

Docker_Pull.Manifest

Indicates an attempt to pull a manifest from Docker.

Docker_Push.Manifest

Indicates an attempt to push a manifest onto Docker.

By updating the signature after initial FortiGate deployment, you should see the Docker-related application controls added.

You can configure firewall policies to allow pulls and pushes with known clean private Docker registries using their IPs (or IPs except for malicious and blacklisted ones) as either sources or destinations while having awareness of Docker-related application in traffic.

Apart from application control, FortiGate also scans all the traffic in the Docker environment for vulnerabilities and file-based threats using Intrusion Prevention Service (IPS) and Advanced Malware Protection (AMP).