Configuring profiles
Application control examines your network traffic for traffic generated by the applications you want it to control. The configuration steps outlined below are for FortiGate's operating in proxy-based inspection and flow-based inspection with profile-based NGFW modes.
General configuration steps
Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.
- Create an application sensor.
- Configure the sensor to include the signatures for the application traffic you want the FortiGate unit to detect.
- Enable any other applicable options.
- Enable application control in a security policy and select the application sensor.
Creating an application sensor
You need to create an application sensor before you can enable application control.
To create an application sensor
- Go to Security Profiles > Application Control.
- Select the Create New icon in the title bar of the Edit Application Sensor window.
- In the Name field, enter the name of the new application sensor.
- Optionally, enter descriptive Comments.
Adding applications to an application sensor
Once you have created an application sensor, you need to need to define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides. Categories will allow you to choose groups of signatures based on a category type. Application overrides allow you to choose individual applications. Filter overrides allow you to select groups of applications and override the application signature settings for them.
To add a category of signatures to the sensor.
- Go to Security Profiles > Application Control.
- Under Categories, you may select from the following:
- Business
- Cloud,.IT
- Collaboration
- Game
- General.Interest
- Industrial
- Mobile
- Network.Service
- P2P
- Proxy
- Remote.Access
- Social.Media
- Storage.Backup
- Update
- Video/Audio
- VoIP
- Web.Client
- Unknown Applications
When selecting the category that you intend to work with, left click on the icon next to the category name to see a drop down menu that includes these actions:
- Allow
- Monitor
- Block
- Quarantine
- View Signatures
These actions are briefly defined under Actions.
- If you wish to add individual applications, select Add Signatures under Application Overrides.
- Use the Add Filter search field to narrow down the list of possible signatures by a series of attributes.
- When finished, select Use Selected Signatures.
- When finished, select Use Selected Signatures.
- If you wish to add advanced filters, select Add Filter under Filter Overrides.
- Use the Add Filter search field to narrow down the list of possible filters by a series of attributes.
- When finished, select Use Filters.
- Select, if applicable, from the following options:
- Allow and Log DNS Traffic
- Replacement Messages for HTTP-based Applications
- Select OK.
There is a disabled category called Industrial. This category is disabled by default, however it can be applied through use of the CLI command below. Note that none
will mean no signatures are excluded, and that industrial
will exclude all industrial signatures.
CLI Syntax
config ips global
set exclude-signatures [none | industrial]
end
Applying the application sensor to a security policy
An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.
To select the application sensor in a security policy — GUI
- Go to Policy & Objects > IPv4 Policy.
- Select a policy.
- Click the Edit icon.
- Under the heading Security Profiles toggle the button next to Application Control to enable the feature.
- In the drop down menu field next to the Application Control select the application sensor you wish to apply to the policy.
- Select OK.
Creating a new custom application signature
If you have to deal with an application that is not already in the Application List you have the option to create a new application signature.
- Go to Security Profiles > Application Control.
- Select the link in the upper right corner, [View Application Signatures]
- Select the Create New icon
- Give the new signature a name (no spaces) in the Name field.
- Enter a brief description in the Comments field
- Enter the text for the signature in the signature field.
- Select OK.
|
You can configure rate based application control signatures in the CLI Console using similar IPS signature rate CLI commands. For more information on this and the CLI syntax, see IPS signature rate count threshold |
Messages in response to blocked applications
Once an Application Control sensor has been configured to block a specified application and applied to a policy it would seem inevitable that at some point an application will end up getting blocked, even if it is only to test the functionality of the control. When this happens, the sensor can be set to either display a message to offending user or to just block without any notification. The default setting is to display a message. Setting this up is done in the CLI.
config application list
edit <name of the sensor>
set app-replacemsg {enable | disable}
end
|
When blocking applications, there is no replacement message for SSL traffic with certificate inspection applied. When SSL deep inspection is enabled, a replacement message will appear depending on the protocol. For example, with HTTP2, the blocking is done in the SSL key exchange once the first server packet is delivered and replacement messages can not be displayed. |
P2P application detection
P2P software tends to be evasive. You may be able to enhance P2P application detection by matching patterns found in the most recent three minutes of P2P traffic to determine if new traffic is P2P. Three minutes is the length of time information about matched P2P traffic remains in shared memory.
For example, the CLI commands below will result in the Intrusion Prevention System (IPS) looking for patterns formed by Skype traffic.
config application list
edit <app_list_str>
set p2p-black-list skype
end
end