Fortinet black logo

CLI Reference

application list

application list

Configure an application control list and configure the application options.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set extended log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

config application list
    edit {name}
    # Configure application control lists.
        set name {string}   List name. size[35]
        set comment {string}   comments size[255]
        set replacemsg-group {string}   Replacement message group. size[35] - datasource(s): system.replacemsg-group.name
        set extended-log {enable | disable}   Enable/disable extended logging.
        set other-application-action {pass | block}   Action for other applications.
                pass   Allow sessions matching an application in this application list.
                block  Block sessions matching an application in this application list.
        set app-replacemsg {disable | enable}   Enable/disable replacement messages for blocked applications.
        set other-application-log {disable | enable}   Enable/disable logging for other applications.
        set unknown-application-action {pass | block}   Pass or block traffic from unknown applications.
                pass   Pass or allow unknown applications.
                block  Drop or block unknown applications.
        set unknown-application-log {disable | enable}   Enable/disable logging for unknown applications.
        set p2p-black-list {skype | edonkey | bittorrent}   P2P applications to be black listed.
                skype       Skype.
                edonkey     Edonkey.
                bittorrent  Bit torrent.
        set deep-app-inspection {disable | enable}   Enable/disable deep application inspection.
        set options {option}   Basic application protocol signatures allowed by default.
                allow-dns   Allow DNS.
                allow-icmp  Allow ICMP.
                allow-http  Allow generic HTTP web browsing.
                allow-ssl   Allow generic SSL communication.
                allow-quic  Allow QUIC.
        config entries
            edit {id}
            # Application list entries.
                set id {integer}   Entry ID. range[0-4294967295]
                config risk
                    edit {level}
                    # Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
                        set level {integer}   Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical). range[0-4294967295]
                    next
                config category
                    edit {id}
                    # Category ID list.
                        set id {integer}   Application category ID. range[0-4294967295]
                    next
                config sub-category
                    edit {id}
                    # Application Sub-category ID list.
                        set id {integer}   Application sub-category ID. range[0-4294967295]
                    next
                config application
                    edit {id}
                    # ID of allowed applications.
                        set id {integer}   Application IDs. range[0-4294967295]
                    next
                set protocols {string}   Application protocol filter.
                set vendor {string}   Application vendor filter.
                set technology {string}   Application technology filter.
                set behavior {string}   Application behavior filter.
                set popularity {option}   Application popularity filter (1 - 5, from least to most popular).
                        1  Popularity level 1.
                        2  Popularity level 2.
                        3  Popularity level 3.
                        4  Popularity level 4.
                        5  Popularity level 5.
                config parameters
                    edit {id}
                    # Application parameters.
                        set id {integer}   Parameter ID. range[0-4294967295]
                        set value {string}   Parameter value. size[63]
                    next
                set action {pass | block | reset}   Pass or block traffic, or reset connection for traffic from this application.
                        pass   Pass or allow matching traffic.
                        block  Block or drop matching traffic.
                        reset  Reset sessions for matching traffic.
                set log {disable | enable}   Enable/disable logging for this application list.
                set log-packet {disable | enable}   Enable/disable packet logging.
                set rate-count {integer}   Count of the rate. range[0-65535]
                set rate-duration {integer}   Duration (sec) of the rate. range[1-65535]
                set rate-mode {periodical | continuous}   Rate limit mode.
                        periodical  Allow configured number of packets every rate-duration.
                        continuous  Block packets once the rate is reached.
                set rate-track {option}   Track the packet protocol field.
                        none             none
                        src-ip           Source IP.
                        dest-ip          Destination IP.
                        dhcp-client-mac  DHCP client.
                        dns-domain       DNS domain.
                set session-ttl {integer}   Session TTL (0 = default). range[0-4294967295]
                set shaper {string}   Traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
                set shaper-reverse {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
                set per-ip-shaper {string}   Per-IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name
                set quarantine {none | attacker}   Quarantine method.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {string}   Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
                set quarantine-log {disable | enable}   Enable/disable quarantine logging.
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

app-replacemsg {enable | disable}

Enable (by default) or disable replacement messages for blocked applications.

options {allow-dns | allow-icmp | allow-http | allow-ssl}

Set which basic application protocols are allowed by default:

  • allow-dns: Allow DNS traffic (set by default).
  • allow-icmp: Allow ICMP traffic.
  • allow-http: Allow generic HTTP web browsing.
  • allow-ssl: Allow generic SSL communication.

other-application-action {pass | block}

Either pass (by default) or block traffic from other applications.

other-application-log {enable | disable}

Enable or disable (by default) logging traffic from other applications.

p2p-black-list {skype | edonkey | bittorrent}

Add P2P applications to a blocklist.

If p2p-black-list is set to skype, the IPS looks for patterns in new traffic that match patterns in Skype traffic detected within the last three minutes; three minutes is how long information about matched P2P traffic remains in shared memory. If a match is found, the IPS assumes that this new traffic is also Skype traffic.

replacemsg-group <group-name>

Select a replacement message group to use for the control list. To create a replacement message group, see config system replacemsg-group.

unknown-application-action {pass | block}

Either pass (by default) or block traffic from unknown applications.

unknown-application-log {enable | disable}

Enable or disable (by default) logging traffic from unknown applications.

config entries

Configure entries on the application control list.

action {pass | block | reset}

Select the action to apply to matching traffic from the following options:

  • pass: Allow traffic from the specified application/s.
  • block: Stop traffic from the specified application/s (set by default).
  • reset: Reset the network connection.

application <ID>

Set which applications are allowed. Type set application ? to view all options.

behavior {all | 2 | 3 | 5 | 6}

Select the application behaviors filter:

  • all: All behaviors (set by default)
  • 2: Botnet
  • 3: Evasive
  • 5: Excessive-Bandwidth
  • 6: Tunneling

category <ID>

Set the application category. Type set category ? to view all options.

Use this option to set a specific category to limit the scope of the All setting of the application command. For example, setting category to im and application to All will have the list entry include all IM applications. Similarly, the applications listed with the set application ? command will be limited to the currently configured category.

log {enable | disable}

Enable (by default) or disable logging for traffic from this list entry when action is pass.

log-packet {enable | disable}

Enable or disable (by default) packet logging for traffic from this list entry.

popularity {1 | 2 | 3 | 4 | 5}

Enter the popularity levels of this application, with 1 being the least popular and 5 being the most popular. The default is 1 2 3 4 5.

protocols <ID>

Set which protocols are allowed. Type set protocols ? to view all options. The default is all.

quarantine {none | attacker}

Set quarantine options for when an attack is detected. The default is none.

risk {1 | 2 | 3 | 4 | 5}

Set the risk level for the applications:

  • 1: Low
  • 2: Elevated
  • 3: Medium
  • 4: High
  • 5: Critical

session-ttl <int>

Set the Session TTL. Setting session-ttl to 0 (by default) disables this option, and defaults to the option set in config system session-ttl.

sub-category <ID>

Set the application sub-category. Type set sub-category ? to view all options. Enter all to include all sub-categories.

tags <string>

Optionally assign object tags.

technology {All | 0 | 1 | 2 | 4}

Select the technologies involved in these applications:

  • All: All technologies (set by default)
  • 0: Network-Protocol
  • 1: Browser-Based
  • 2: Client-Server
  • 4: Peer-to-Peer

vendor <ID>

Set which application vendors are allowed. Type set vendor ? to view all options. The default is All. Separate multiple entries with a space.

application list

Configure an application control list and configure the application options.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set extended log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

config application list
    edit {name}
    # Configure application control lists.
        set name {string}   List name. size[35]
        set comment {string}   comments size[255]
        set replacemsg-group {string}   Replacement message group. size[35] - datasource(s): system.replacemsg-group.name
        set extended-log {enable | disable}   Enable/disable extended logging.
        set other-application-action {pass | block}   Action for other applications.
                pass   Allow sessions matching an application in this application list.
                block  Block sessions matching an application in this application list.
        set app-replacemsg {disable | enable}   Enable/disable replacement messages for blocked applications.
        set other-application-log {disable | enable}   Enable/disable logging for other applications.
        set unknown-application-action {pass | block}   Pass or block traffic from unknown applications.
                pass   Pass or allow unknown applications.
                block  Drop or block unknown applications.
        set unknown-application-log {disable | enable}   Enable/disable logging for unknown applications.
        set p2p-black-list {skype | edonkey | bittorrent}   P2P applications to be black listed.
                skype       Skype.
                edonkey     Edonkey.
                bittorrent  Bit torrent.
        set deep-app-inspection {disable | enable}   Enable/disable deep application inspection.
        set options {option}   Basic application protocol signatures allowed by default.
                allow-dns   Allow DNS.
                allow-icmp  Allow ICMP.
                allow-http  Allow generic HTTP web browsing.
                allow-ssl   Allow generic SSL communication.
                allow-quic  Allow QUIC.
        config entries
            edit {id}
            # Application list entries.
                set id {integer}   Entry ID. range[0-4294967295]
                config risk
                    edit {level}
                    # Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
                        set level {integer}   Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical). range[0-4294967295]
                    next
                config category
                    edit {id}
                    # Category ID list.
                        set id {integer}   Application category ID. range[0-4294967295]
                    next
                config sub-category
                    edit {id}
                    # Application Sub-category ID list.
                        set id {integer}   Application sub-category ID. range[0-4294967295]
                    next
                config application
                    edit {id}
                    # ID of allowed applications.
                        set id {integer}   Application IDs. range[0-4294967295]
                    next
                set protocols {string}   Application protocol filter.
                set vendor {string}   Application vendor filter.
                set technology {string}   Application technology filter.
                set behavior {string}   Application behavior filter.
                set popularity {option}   Application popularity filter (1 - 5, from least to most popular).
                        1  Popularity level 1.
                        2  Popularity level 2.
                        3  Popularity level 3.
                        4  Popularity level 4.
                        5  Popularity level 5.
                config parameters
                    edit {id}
                    # Application parameters.
                        set id {integer}   Parameter ID. range[0-4294967295]
                        set value {string}   Parameter value. size[63]
                    next
                set action {pass | block | reset}   Pass or block traffic, or reset connection for traffic from this application.
                        pass   Pass or allow matching traffic.
                        block  Block or drop matching traffic.
                        reset  Reset sessions for matching traffic.
                set log {disable | enable}   Enable/disable logging for this application list.
                set log-packet {disable | enable}   Enable/disable packet logging.
                set rate-count {integer}   Count of the rate. range[0-65535]
                set rate-duration {integer}   Duration (sec) of the rate. range[1-65535]
                set rate-mode {periodical | continuous}   Rate limit mode.
                        periodical  Allow configured number of packets every rate-duration.
                        continuous  Block packets once the rate is reached.
                set rate-track {option}   Track the packet protocol field.
                        none             none
                        src-ip           Source IP.
                        dest-ip          Destination IP.
                        dhcp-client-mac  DHCP client.
                        dns-domain       DNS domain.
                set session-ttl {integer}   Session TTL (0 = default). range[0-4294967295]
                set shaper {string}   Traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
                set shaper-reverse {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
                set per-ip-shaper {string}   Per-IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name
                set quarantine {none | attacker}   Quarantine method.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {string}   Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
                set quarantine-log {disable | enable}   Enable/disable quarantine logging.
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

app-replacemsg {enable | disable}

Enable (by default) or disable replacement messages for blocked applications.

options {allow-dns | allow-icmp | allow-http | allow-ssl}

Set which basic application protocols are allowed by default:

  • allow-dns: Allow DNS traffic (set by default).
  • allow-icmp: Allow ICMP traffic.
  • allow-http: Allow generic HTTP web browsing.
  • allow-ssl: Allow generic SSL communication.

other-application-action {pass | block}

Either pass (by default) or block traffic from other applications.

other-application-log {enable | disable}

Enable or disable (by default) logging traffic from other applications.

p2p-black-list {skype | edonkey | bittorrent}

Add P2P applications to a blocklist.

If p2p-black-list is set to skype, the IPS looks for patterns in new traffic that match patterns in Skype traffic detected within the last three minutes; three minutes is how long information about matched P2P traffic remains in shared memory. If a match is found, the IPS assumes that this new traffic is also Skype traffic.

replacemsg-group <group-name>

Select a replacement message group to use for the control list. To create a replacement message group, see config system replacemsg-group.

unknown-application-action {pass | block}

Either pass (by default) or block traffic from unknown applications.

unknown-application-log {enable | disable}

Enable or disable (by default) logging traffic from unknown applications.

config entries

Configure entries on the application control list.

action {pass | block | reset}

Select the action to apply to matching traffic from the following options:

  • pass: Allow traffic from the specified application/s.
  • block: Stop traffic from the specified application/s (set by default).
  • reset: Reset the network connection.

application <ID>

Set which applications are allowed. Type set application ? to view all options.

behavior {all | 2 | 3 | 5 | 6}

Select the application behaviors filter:

  • all: All behaviors (set by default)
  • 2: Botnet
  • 3: Evasive
  • 5: Excessive-Bandwidth
  • 6: Tunneling

category <ID>

Set the application category. Type set category ? to view all options.

Use this option to set a specific category to limit the scope of the All setting of the application command. For example, setting category to im and application to All will have the list entry include all IM applications. Similarly, the applications listed with the set application ? command will be limited to the currently configured category.

log {enable | disable}

Enable (by default) or disable logging for traffic from this list entry when action is pass.

log-packet {enable | disable}

Enable or disable (by default) packet logging for traffic from this list entry.

popularity {1 | 2 | 3 | 4 | 5}

Enter the popularity levels of this application, with 1 being the least popular and 5 being the most popular. The default is 1 2 3 4 5.

protocols <ID>

Set which protocols are allowed. Type set protocols ? to view all options. The default is all.

quarantine {none | attacker}

Set quarantine options for when an attack is detected. The default is none.

risk {1 | 2 | 3 | 4 | 5}

Set the risk level for the applications:

  • 1: Low
  • 2: Elevated
  • 3: Medium
  • 4: High
  • 5: Critical

session-ttl <int>

Set the Session TTL. Setting session-ttl to 0 (by default) disables this option, and defaults to the option set in config system session-ttl.

sub-category <ID>

Set the application sub-category. Type set sub-category ? to view all options. Enter all to include all sub-categories.

tags <string>

Optionally assign object tags.

technology {All | 0 | 1 | 2 | 4}

Select the technologies involved in these applications:

  • All: All technologies (set by default)
  • 0: Network-Protocol
  • 1: Browser-Based
  • 2: Client-Server
  • 4: Peer-to-Peer

vendor <ID>

Set which application vendors are allowed. Type set vendor ? to view all options. The default is All. Separate multiple entries with a space.