application list
Configure an application control list and configure the application options.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set extended log {enable | disable} |
When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens. Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for. |
config application list edit {name} # Configure application control lists. set name {string} List name. size[35] set comment {string} comments size[255] set replacemsg-group {string} Replacement message group. size[35] - datasource(s): system.replacemsg-group.name set extended-log {enable | disable} Enable/disable extended logging. set other-application-action {pass | block} Action for other applications. pass Allow sessions matching an application in this application list. block Block sessions matching an application in this application list. set app-replacemsg {disable | enable} Enable/disable replacement messages for blocked applications. set other-application-log {disable | enable} Enable/disable logging for other applications. set unknown-application-action {pass | block} Pass or block traffic from unknown applications. pass Pass or allow unknown applications. block Drop or block unknown applications. set unknown-application-log {disable | enable} Enable/disable logging for unknown applications. set p2p-black-list {skype | edonkey | bittorrent} P2P applications to be black listed. skype Skype. edonkey Edonkey. bittorrent Bit torrent. set deep-app-inspection {disable | enable} Enable/disable deep application inspection. set options {option} Basic application protocol signatures allowed by default. allow-dns Allow DNS. allow-icmp Allow ICMP. allow-http Allow generic HTTP web browsing. allow-ssl Allow generic SSL communication. allow-quic Allow QUIC. config entries edit {id} # Application list entries. set id {integer} Entry ID. range[0-4294967295] config risk edit {level} # Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical). set level {integer} Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical). range[0-4294967295] next config category edit {id} # Category ID list. set id {integer} Application category ID. range[0-4294967295] next config sub-category edit {id} # Application Sub-category ID list. set id {integer} Application sub-category ID. range[0-4294967295] next config application edit {id} # ID of allowed applications. set id {integer} Application IDs. range[0-4294967295] next set protocols {string} Application protocol filter. set vendor {string} Application vendor filter. set technology {string} Application technology filter. set behavior {string} Application behavior filter. set popularity {option} Application popularity filter (1 - 5, from least to most popular). 1 Popularity level 1. 2 Popularity level 2. 3 Popularity level 3. 4 Popularity level 4. 5 Popularity level 5. config parameters edit {id} # Application parameters. set id {integer} Parameter ID. range[0-4294967295] set value {string} Parameter value. size[63] next set action {pass | block | reset} Pass or block traffic, or reset connection for traffic from this application. pass Pass or allow matching traffic. block Block or drop matching traffic. reset Reset sessions for matching traffic. set log {disable | enable} Enable/disable logging for this application list. set log-packet {disable | enable} Enable/disable packet logging. set rate-count {integer} Count of the rate. range[0-65535] set rate-duration {integer} Duration (sec) of the rate. range[1-65535] set rate-mode {periodical | continuous} Rate limit mode. periodical Allow configured number of packets every rate-duration. continuous Block packets once the rate is reached. set rate-track {option} Track the packet protocol field. none none src-ip Source IP. dest-ip Destination IP. dhcp-client-mac DHCP client. dns-domain DNS domain. set session-ttl {integer} Session TTL (0 = default). range[0-4294967295] set shaper {string} Traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name set shaper-reverse {string} Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name set per-ip-shaper {string} Per-IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name set quarantine {none | attacker} Quarantine method. none Quarantine is disabled. attacker Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected. set quarantine-expiry {string} Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. set quarantine-log {disable | enable} Enable/disable quarantine logging. next next end
Additional information
The following section is for those options that require additional explanation.
app-replacemsg {enable | disable}
Enable (by default) or disable replacement messages for blocked applications.
options {allow-dns | allow-icmp | allow-http | allow-ssl}
Set which basic application protocols are allowed by default:
- allow-dns: Allow DNS traffic (set by default).
- allow-icmp: Allow ICMP traffic.
- allow-http: Allow generic HTTP web browsing.
- allow-ssl: Allow generic SSL communication.
other-application-action {pass | block}
Either pass (by default) or block traffic from other applications.
other-application-log {enable | disable}
Enable or disable (by default) logging traffic from other applications.
p2p-black-list {skype | edonkey | bittorrent}
Add P2P applications to a blocklist.
If p2p-black-list is set to skype, the IPS looks for patterns in new traffic that match patterns in Skype traffic detected within the last three minutes; three minutes is how long information about matched P2P traffic remains in shared memory. If a match is found, the IPS assumes that this new traffic is also Skype traffic.
replacemsg-group <group-name>
Select a replacement message group to use for the control list. To create a replacement message group, see config system replacemsg-group.
unknown-application-action {pass | block}
Either pass (by default) or block traffic from unknown applications.
unknown-application-log {enable | disable}
Enable or disable (by default) logging traffic from unknown applications.
config entries
Configure entries on the application control list.
action {pass | block | reset}
Select the action to apply to matching traffic from the following options:
- pass: Allow traffic from the specified application/s.
- block: Stop traffic from the specified application/s (set by default).
- reset: Reset the network connection.
application <ID>
Set which applications are allowed. Type set application ?
to view all options.
behavior {all | 2 | 3 | 5 | 6}
Select the application behaviors filter:
- all: All behaviors (set by default)
- 2: Botnet
- 3: Evasive
- 5: Excessive-Bandwidth
- 6: Tunneling
category <ID>
Set the application category. Type set category ?
to view all options.
Use this option to set a specific category to limit the scope of the All
setting of the application command. For example,
setting category to im
and application to All
will
have the list entry include all IM applications. Similarly,
the applications listed with the set application ?
command will be limited to the currently configured
category.
log {enable | disable}
Enable (by default) or disable logging for traffic from this list entry when action
is pass
.
log-packet {enable | disable}
Enable or disable (by default) packet logging for traffic from this list entry.
popularity {1 | 2 | 3 | 4 | 5}
Enter the popularity levels of this application, with 1 being the least popular and 5 being the most popular. The default is 1 2 3 4 5
.
protocols <ID>
Set which protocols are allowed. Type set protocols ?
to view all options. The default is all
.
quarantine {none | attacker}
Set quarantine options for when an attack is detected. The default is none.
risk {1 | 2 | 3 | 4 | 5}
Set the risk level for the applications:
- 1: Low
- 2: Elevated
- 3: Medium
- 4: High
- 5: Critical
session-ttl <int>
Set the Session TTL. Setting session-ttl to 0
(by default) disables this option, and defaults
to the option set in config system session-ttl.
sub-category <ID>
Set the application sub-category. Type set sub-category ?
to view all options. Enter all
to include all sub-categories.
tags <string>
Optionally assign object tags.
technology {All | 0 | 1 | 2 | 4}
Select the technologies involved in these applications:
- All: All technologies (set by default)
- 0: Network-Protocol
- 1: Browser-Based
- 2: Client-Server
- 4: Peer-to-Peer
vendor <ID>
Set which application vendors are allowed. Type set vendor ?
to view all options. The default is All
. Separate multiple entries with a space.