Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Configuring profiles

Configuring profiles

Application control examines your network traffic for traffic generated by the applications you want it to control. The configuration steps outlined below are for FortiGate's operating in proxy-based inspection and flow-based inspection with profile-based NGFW modes.

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create an application sensor.
  2. Configure the sensor to include the signatures for the application traffic you want the FortiGate unit to detect.
  3. Enable any other applicable options.
  4. Enable application control in a security policy and select the application sensor.

Creating an application sensor

You need to create an application sensor before you can enable application control.

To create an application sensor
  1. Go to Security Profiles > Application Control.
  2. Select the Create New icon in the title bar of the Edit Application Sensor window.
  3. In the Name field, enter the name of the new application sensor.
  4. Optionally, enter descriptive Comments.

Adding applications to an application sensor

Once you have created an application sensor, you need to need to define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides. Categories will allow you to choose groups of signatures based on a category type. Application overrides allow you to choose individual applications. Filter overrides allow you to select groups of applications and override the application signature settings for them.

To add a category of signatures to the sensor.
  1. Go to Security Profiles > Application Control.
  2. Under Categories, you may select from the following:
    • Business
    • Cloud,.IT
    • Collaboration
    • Email
    • Game
    • General.Interest
    • Industrial
    • Mobile
    • Network.Service
    • P2P
    • Proxy
    • Remote.Access
    • Social.Media
    • Storage.Backup
    • Update
    • Video/Audio
    • VoIP
    • Web.Client
    • Unknown Applications

    When selecting the category that you intend to work with, left click on the icon next to the category name to see a drop down menu that includes these actions:

    • Allow
    • Monitor
    • Block
    • Quarantine
    • View Signatures

    These actions are briefly defined under Actions.

  3. If you wish to add individual applications, select Add Signatures under Application Overrides.
    1. Use the Add Filter search field to narrow down the list of possible signatures by a series of attributes.
    2. When finished, select Use Selected Signatures.
    1. When finished, select Use Selected Signatures.
  4. If you wish to add advanced filters, select Add Filter under Filter Overrides.
    1. Use the Add Filter search field to narrow down the list of possible filters by a series of attributes.
    2. When finished, select Use Filters.
  5. Select, if applicable, from the following options:
    1. Allow and Log DNS Traffic
    2. Replacement Messages for HTTP-based Applications
  6. Select OK.

There is a disabled category called Industrial. This category is disabled by default, however it can be applied through use of the CLI command below. Note that none will mean no signatures are excluded, and that industrial will exclude all industrial signatures.

CLI Syntax

config ips global

set exclude-signatures [none | industrial]

end

Applying the application sensor to a security policy

An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the application sensor in a security policy — GUI
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select a policy.
  3. Click the Edit icon.
  4. Under the heading Security Profiles toggle the button next to Application Control to enable the feature.
  5. In the drop down menu field next to the Application Control select the application sensor you wish to apply to the policy.
  6. Select OK.

Creating a new custom application signature

If you have to deal with an application that is not already in the Application List you have the option to create a new application signature.

  1. Go to Security Profiles > Application Control.
  2. Select the link in the upper right corner, [View Application Signatures]
  3. Select the Create New icon
  4. Give the new signature a name (no spaces) in the Name field.
  5. Enter a brief description in the Comments field
  6. Enter the text for the signature in the signature field.
  7. Select OK.

note icon

You can configure rate based application control signatures in the CLI Console using similar IPS signature rate CLI commands. For more information on this and the CLI syntax, see IPS signature rate count threshold

Messages in response to blocked applications

Once an Application Control sensor has been configured to block a specified application and applied to a policy it would seem inevitable that at some point an application will end up getting blocked, even if it is only to test the functionality of the control. When this happens, the sensor can be set to either display a message to offending user or to just block without any notification. The default setting is to display a message. Setting this up is done in the CLI.

config application list

edit <name of the sensor>

set app-replacemsg {enable | disable}

end

note icon

When blocking applications, there is no replacement message for SSL traffic with certificate inspection applied. When SSL deep inspection is enabled, a replacement message will appear depending on the protocol. For example, with HTTP2, the blocking is done in the SSL key exchange once the first server packet is delivered and replacement messages can not be displayed.

P2P application detection

P2P software tends to be evasive. You may be able to enhance P2P application detection by matching patterns found in the most recent three minutes of P2P traffic to determine if new traffic is P2P. Three minutes is the length of time information about matched P2P traffic remains in shared memory.

For example, the CLI commands below will result in the Intrusion Prevention System (IPS) looking for patterns formed by Skype traffic.

config application list

edit <app_list_str>

set p2p-black-list skype

end

end

Configuring profiles

Configuring profiles

Application control examines your network traffic for traffic generated by the applications you want it to control. The configuration steps outlined below are for FortiGate's operating in proxy-based inspection and flow-based inspection with profile-based NGFW modes.

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create an application sensor.
  2. Configure the sensor to include the signatures for the application traffic you want the FortiGate unit to detect.
  3. Enable any other applicable options.
  4. Enable application control in a security policy and select the application sensor.

Creating an application sensor

You need to create an application sensor before you can enable application control.

To create an application sensor
  1. Go to Security Profiles > Application Control.
  2. Select the Create New icon in the title bar of the Edit Application Sensor window.
  3. In the Name field, enter the name of the new application sensor.
  4. Optionally, enter descriptive Comments.

Adding applications to an application sensor

Once you have created an application sensor, you need to need to define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides. Categories will allow you to choose groups of signatures based on a category type. Application overrides allow you to choose individual applications. Filter overrides allow you to select groups of applications and override the application signature settings for them.

To add a category of signatures to the sensor.
  1. Go to Security Profiles > Application Control.
  2. Under Categories, you may select from the following:
    • Business
    • Cloud,.IT
    • Collaboration
    • Email
    • Game
    • General.Interest
    • Industrial
    • Mobile
    • Network.Service
    • P2P
    • Proxy
    • Remote.Access
    • Social.Media
    • Storage.Backup
    • Update
    • Video/Audio
    • VoIP
    • Web.Client
    • Unknown Applications

    When selecting the category that you intend to work with, left click on the icon next to the category name to see a drop down menu that includes these actions:

    • Allow
    • Monitor
    • Block
    • Quarantine
    • View Signatures

    These actions are briefly defined under Actions.

  3. If you wish to add individual applications, select Add Signatures under Application Overrides.
    1. Use the Add Filter search field to narrow down the list of possible signatures by a series of attributes.
    2. When finished, select Use Selected Signatures.
    1. When finished, select Use Selected Signatures.
  4. If you wish to add advanced filters, select Add Filter under Filter Overrides.
    1. Use the Add Filter search field to narrow down the list of possible filters by a series of attributes.
    2. When finished, select Use Filters.
  5. Select, if applicable, from the following options:
    1. Allow and Log DNS Traffic
    2. Replacement Messages for HTTP-based Applications
  6. Select OK.

There is a disabled category called Industrial. This category is disabled by default, however it can be applied through use of the CLI command below. Note that none will mean no signatures are excluded, and that industrial will exclude all industrial signatures.

CLI Syntax

config ips global

set exclude-signatures [none | industrial]

end

Applying the application sensor to a security policy

An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the application sensor in a security policy — GUI
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select a policy.
  3. Click the Edit icon.
  4. Under the heading Security Profiles toggle the button next to Application Control to enable the feature.
  5. In the drop down menu field next to the Application Control select the application sensor you wish to apply to the policy.
  6. Select OK.

Creating a new custom application signature

If you have to deal with an application that is not already in the Application List you have the option to create a new application signature.

  1. Go to Security Profiles > Application Control.
  2. Select the link in the upper right corner, [View Application Signatures]
  3. Select the Create New icon
  4. Give the new signature a name (no spaces) in the Name field.
  5. Enter a brief description in the Comments field
  6. Enter the text for the signature in the signature field.
  7. Select OK.

note icon

You can configure rate based application control signatures in the CLI Console using similar IPS signature rate CLI commands. For more information on this and the CLI syntax, see IPS signature rate count threshold

Messages in response to blocked applications

Once an Application Control sensor has been configured to block a specified application and applied to a policy it would seem inevitable that at some point an application will end up getting blocked, even if it is only to test the functionality of the control. When this happens, the sensor can be set to either display a message to offending user or to just block without any notification. The default setting is to display a message. Setting this up is done in the CLI.

config application list

edit <name of the sensor>

set app-replacemsg {enable | disable}

end

note icon

When blocking applications, there is no replacement message for SSL traffic with certificate inspection applied. When SSL deep inspection is enabled, a replacement message will appear depending on the protocol. For example, with HTTP2, the blocking is done in the SSL key exchange once the first server packet is delivered and replacement messages can not be displayed.

P2P application detection

P2P software tends to be evasive. You may be able to enhance P2P application detection by matching patterns found in the most recent three minutes of P2P traffic to determine if new traffic is P2P. Three minutes is the length of time information about matched P2P traffic remains in shared memory.

For example, the CLI commands below will result in the Intrusion Prevention System (IPS) looking for patterns formed by Skype traffic.

config application list

edit <app_list_str>

set p2p-black-list skype

end

end