Fortinet black logo

New Features

Protocol Port Enforcement

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:508309
Download PDF

Protocol Port Enforcement

Protocol enforcement is added to the Application Control Profile, allowing the admin to configure network services (e.g., FTP, HTTP, HTTPS) on known ports (e.g., 21, 80, 443), while blocking those services on other ports.

The feature takes action in the following scenarios:

  • When one protocol dissector confirms the service of network traffic, protocol enforcement can check whether the confirmed service is whitelisted under the server port. If it is not, then the traffic is considered a violation and IPS can take action (e.g., block) specified in the configuration.
  • There is no confirmed service for the network traffic. It would be considered a service violation if IPS dissectors rule out all the services enforced under its server port.

In Security Profiles > Application Control, a new Network Protocol Enforcement pane lets you create and configure network services on specific ports and set violation action.

To configure the application profile default network service list using CLI:
config application list
    edit "protocol-GUI"
        set other-application-log enable
        set control-default-network-services enable    # Enable enforcement of protocols over select ports.
        config default-network-services                # Default network service entries
            edit 1
                set port 80                            # Port number, port Enter an integer value from <0> to <65535>
                set services http                      # Network protocols: http, ssh, telnet, ftp, dns, smtp, pop3, imap, snmp, nntp and https
            next
            edit 2
                set port 53
                set services dns
                set violation-action monitor           # Set action for protocols not whitelisted under select port: block/pass/monitor
            next
        end
    next
end

Protocol Port Enforcement

Protocol enforcement is added to the Application Control Profile, allowing the admin to configure network services (e.g., FTP, HTTP, HTTPS) on known ports (e.g., 21, 80, 443), while blocking those services on other ports.

The feature takes action in the following scenarios:

  • When one protocol dissector confirms the service of network traffic, protocol enforcement can check whether the confirmed service is whitelisted under the server port. If it is not, then the traffic is considered a violation and IPS can take action (e.g., block) specified in the configuration.
  • There is no confirmed service for the network traffic. It would be considered a service violation if IPS dissectors rule out all the services enforced under its server port.

In Security Profiles > Application Control, a new Network Protocol Enforcement pane lets you create and configure network services on specific ports and set violation action.

To configure the application profile default network service list using CLI:
config application list
    edit "protocol-GUI"
        set other-application-log enable
        set control-default-network-services enable    # Enable enforcement of protocols over select ports.
        config default-network-services                # Default network service entries
            edit 1
                set port 80                            # Port number, port Enter an integer value from <0> to <65535>
                set services http                      # Network protocols: http, ssh, telnet, ftp, dns, smtp, pop3, imap, snmp, nntp and https
            next
            edit 2
                set port 53
                set services dns
                set violation-action monitor           # Set action for protocols not whitelisted under select port: block/pass/monitor
            next
        end
    next
end