Fortinet black logo

Cookbook

Basic category filters and overrides

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:19814
Download PDF

Basic category filters and overrides

Once you have created an application sensor, you can define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides.

  • Categories: Choose groups of signatures based on a category type.
  • Application overrides: Choose individual applications.
  • Filter overrides: Select groups of applications and override the application signature settings for them.

Categories

Categories allow you to choose groups of signatures based on a category type. Applications belonging to the category trigger the action that is set for the category.

To set category filters in the CLI:
config application list
    edit {id}
        config entries
            edit 1
                set category <id>
                    ID           Select Category ID
                    2            P2P
                    3            VoIP
                    5            Video/Audio
                    6            Proxy
                    7            Remote.Access
                    8            Game
                    12           General.Interest
                    15           Network.Service
                    17           Update
                    21           Email
                    22           Storage.Backup
                    23           Social.Media
                    25           Web.Client
                    26           Industrial
                    28           Collaboration
                    29           Business
                    30           Cloud.IT
                    31           Mobile
                set action {pass | block | reset}
                    pass     Pass or allow matching traffic.
                    block    Block or drop matching traffic.
                    reset    Reset sessions for matching traffic.
                set log {enable | disable}
            next
        end
    next
end
To set category filters in the GUI:
  1. Go to Security Profiles > Application Control.
  2. Under Categories, left click the icon next to the category name to view a dropdown of actions:
    • Allow
    • Monitor
    • Block
    • Quarantine
    • View signatures
  3. Select OK.

Application and filter overrides

Override type

Setting

Application Type: Choose Application for application overrides.
Action: Can be set to Monitor/Allow/Block/Quarantine.
Application: Multiple app signatures can be added for one entry. A slide-in presenting an application list will be shown to select specific app signatures, and the search box can be used to filter matched signatures.
Filter Type: Choose Filter for filter overrides.
Action: Can be set to Monitor/Allow/Block/Quarantine.
Filter: Filters can be selected by behavior, application category, technology, popularity, protocol, risk, or vendor subtypes.
Search box: Can be used to determine if the input signature is included in selected filters, where matched applications are shown at the bottom.
To set overrides in the CLI:
config application list
    edit {id}
        config entries
            edit 1
                set protocols <0-47>    #network protocol ID
                set risk <id>
                    *level    Risk of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
                set vendor <0-25>       #vendor ID
                set technology <id>
                    All          All
                    0            Network-Protocol
                    1            Browser-Based
                    2            Client-Server
                    4            Peer-to-Peer
                set behavior <id>
                    All          All
                    2            Botnet
                    3            Evasive
                    5            Excessive-Bandwidth
                    6            Tunneling
                    9            Cloud
                set popularity <1-5>    #Popularity level 1-5
                set action {pass | block | reset}
                    pass     Pass or allow matching traffic.
                    block    Block or drop matching traffic.
                    reset    Reset sessions for matching traffic.
                set log {enable | disable}
            next
        end
    next
end
To set overrides in the GUI:
  1. Go to Security Profiles > Application Control.
  2. Under the Application and Filter Overrides table, click Create New.
  3. To add individual applications:
    1. Select Application as the Type.
    2. Choose an action to be associated with the application.
    3. Click the + button in the Application field and choose the specific applications from the list where app signatures are displayed. Multiple applications may be selected.

    4. Click OK.
  4. To add advanced filters:
    1. Create another entry in the Application and Filter Overrides table.
    2. Select Filter as the Type.
    3. Select Cloud under the behavior section from the Select Entries list.
      Matched signatures are shown along the bottom.

    4. Click OK.

Basic category filters and overrides

Once you have created an application sensor, you can define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides.

  • Categories: Choose groups of signatures based on a category type.
  • Application overrides: Choose individual applications.
  • Filter overrides: Select groups of applications and override the application signature settings for them.

Categories

Categories allow you to choose groups of signatures based on a category type. Applications belonging to the category trigger the action that is set for the category.

To set category filters in the CLI:
config application list
    edit {id}
        config entries
            edit 1
                set category <id>
                    ID           Select Category ID
                    2            P2P
                    3            VoIP
                    5            Video/Audio
                    6            Proxy
                    7            Remote.Access
                    8            Game
                    12           General.Interest
                    15           Network.Service
                    17           Update
                    21           Email
                    22           Storage.Backup
                    23           Social.Media
                    25           Web.Client
                    26           Industrial
                    28           Collaboration
                    29           Business
                    30           Cloud.IT
                    31           Mobile
                set action {pass | block | reset}
                    pass     Pass or allow matching traffic.
                    block    Block or drop matching traffic.
                    reset    Reset sessions for matching traffic.
                set log {enable | disable}
            next
        end
    next
end
To set category filters in the GUI:
  1. Go to Security Profiles > Application Control.
  2. Under Categories, left click the icon next to the category name to view a dropdown of actions:
    • Allow
    • Monitor
    • Block
    • Quarantine
    • View signatures
  3. Select OK.

Application and filter overrides

Override type

Setting

Application Type: Choose Application for application overrides.
Action: Can be set to Monitor/Allow/Block/Quarantine.
Application: Multiple app signatures can be added for one entry. A slide-in presenting an application list will be shown to select specific app signatures, and the search box can be used to filter matched signatures.
Filter Type: Choose Filter for filter overrides.
Action: Can be set to Monitor/Allow/Block/Quarantine.
Filter: Filters can be selected by behavior, application category, technology, popularity, protocol, risk, or vendor subtypes.
Search box: Can be used to determine if the input signature is included in selected filters, where matched applications are shown at the bottom.
To set overrides in the CLI:
config application list
    edit {id}
        config entries
            edit 1
                set protocols <0-47>    #network protocol ID
                set risk <id>
                    *level    Risk of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
                set vendor <0-25>       #vendor ID
                set technology <id>
                    All          All
                    0            Network-Protocol
                    1            Browser-Based
                    2            Client-Server
                    4            Peer-to-Peer
                set behavior <id>
                    All          All
                    2            Botnet
                    3            Evasive
                    5            Excessive-Bandwidth
                    6            Tunneling
                    9            Cloud
                set popularity <1-5>    #Popularity level 1-5
                set action {pass | block | reset}
                    pass     Pass or allow matching traffic.
                    block    Block or drop matching traffic.
                    reset    Reset sessions for matching traffic.
                set log {enable | disable}
            next
        end
    next
end
To set overrides in the GUI:
  1. Go to Security Profiles > Application Control.
  2. Under the Application and Filter Overrides table, click Create New.
  3. To add individual applications:
    1. Select Application as the Type.
    2. Choose an action to be associated with the application.
    3. Click the + button in the Application field and choose the specific applications from the list where app signatures are displayed. Multiple applications may be selected.

    4. Click OK.
  4. To add advanced filters:
    1. Create another entry in the Application and Filter Overrides table.
    2. Select Filter as the Type.
    3. Select Cloud under the behavior section from the Select Entries list.
      Matched signatures are shown along the bottom.

    4. Click OK.