Fortinet black logo

Cookbook

Cloud application view

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:560682
Download PDF

Cloud application view

To see different cloud application views, set up the following:

  • A FortiGate with a firewall policy that uses the Application Control security profile.
  • A FortiGate with log data from the local disk or FortiAnalyzer.
  • Optional but highly recommended: SSL Inspection set to deep-inspection in the related firewall policies.

Viewing cloud applications

Cloud applications

All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep information in the network packets.

To view cloud applications:
  1. Go to Security Profiles > Application Control.
  2. Edit a profile that is used by the firewall policy.
  3. On the Edit Application Sensor page, click View Application Signatures.

  4. On the top right of the Application Signature page, click Cloud to display all cloud signature based applications.

    Cloud applications have a cloud icon beside them.

    The lock icon indicates that that application requires SSL deep inspection.

  5. Hover over an item to see its details.

    This example shows the Gmail_Attachment.Download, a cloud application signature based sensor which requires SSL deep inspection. If any local network user behind the firewall logs into Gmail and downloads a Gmail attachment, that activity is logged.

Applications with cloud behavior

Applications with cloud behavior is a superset of cloud applications.

Some applications do not require SSL deep inspection, such as Facebook, Gmail, YouTube, and so on. This means that if any traffic trigger application sensors for these applications, there is a FortiView cloud application view for that traffic.

Other applications require SSL deep inspection, such as Gmail attachment, Facebook_Workplace, and so on.

To view applications with cloud behavior:
  1. On the Application Signature page, add the Behavior column if it is not already visible:
    1. Hover over the left of the table column headings to display the Configure Table icon.
    2. Click Configure Table and select Behavior.
    3. Click Apply.
  2. Click the Filter icon in the Behavior column and enter Cloud to filter by Cloud, then click Apply.

  3. The Application Signature page displays all applications with cloud behavior.

  4. Use the Search box to search for applications. For example, you can search for youtube.

  5. Hover over an item to see its details.

    This example shows an application sensor with no lock icon which means that this application sensor does not require SSL deep inspection. If any local network user behind the firewall tries to navigates the YouTube website, that activity is logged.

Configuring the Cloud Applications widget

On the Edit Application Sensor page in the Categories section, the icon besides a category means that category is monitored and logged.

To add the Cloud Applications widget:
  1. Go to Dashboard > Top Usage LAN/DMZ.
  2. Move the cursor to the bottom right, click the widget control icon and select Add Widget.
  3. Select FortiView Top N.
  4. In the FortiView dropdown list, select the LAN/DMZ tab and then select Cloud Applications.

  5. Click Add Widget.

  6. If SSL deep inspection is enabled in the related firewall policy, then the widget shows the additional details that are logged, such as Files (Up/Down) and Videos Played.

    For YouTube, the Videos Played column is triggered by the YouTube_Video.Play cloud application sensor. This shows the number of local network users who logged into YouTube and played YouTube videos.

    For Dropbox, the Files (Up/Down) column is triggered by Dropbox_File.Download and Dropbox_File.Upload cloud application sensors. This shows the number of local network users who logged into Dropbox and uploaded or downloaded files.

Using the Cloud Applications widget

To see additional information in the Cloud Applications widget:
  1. In the top right of the widget, click the Expand to full screen icon to see additional information.

  2. For details about a specific entry, double-click the entry or right-click the entry and select Drill Down to Details.

  3. To see all the sessions for an application, click Sessions.

    In this example, the Application Name column shows all applications related to YouTube.

  4. To view log details, double-click a session to display the Log Details pane.

    Sessions monitored by SSL deep inspection (in this example, Youtube_Video.Play) captured deep information such as Application User, Application Details, and so on. The Log Details pane also shows additional deep information such as application ID, Message, and so on.

    Sessions not monitored by SSL deep inspection (YouTube) did not capture the deep information.

  5. In the top right, click the Standalone FortiView page icon to see the page in standalone view.

  6. To display a specific time period, select and drag in the timeline graph to display only the data for that time period.

Cloud application view examples

Example of monitoring network traffic with SSL deep inspection

This is an example of monitoring network traffic for YouTube via FortiView cloud application view with SSL deep inspection.

To monitor network traffic with SSL deep inspection:
  1. Use a firewall policy with the following settings. If necessary, create a policy with these settings.
    • Application Control is enabled.
    • SSL Inspection is set to deep-inspection.
    • Log Allowed Traffic is set to All Sessions.

  2. Go to Security Profiles > Application Control.
  3. Select a relative Application Control profile used by the firewall policy and click View.
  4. Because YouTube cloud applications are categorized into Video/Audio, ensure the Video/Audio category is monitored.

  5. Click View Application Signatures and hover over YouTube cloud applications to view detailed information about YouTube application sensors.

    Application Signature

    Description

    Application ID

    YouTube_Video.Access

    An attempt to access a video on YouTube.

    16420

    YouTube_Video.Play

    An attempt to download and play a video from YouTube.

    38569

    YouTube_Video.Upload

    An attempt to upload a video to YouTube.

    22564

    YouTube

    An attempt to access YouTube.

    This application sensor does not depend on SSL deep inspection so it does not have a cloud or lock icon.

    31077

    YouTube_Channel.Access

    An attempt to access a video on a specific channel on YouTube.

    41598

    YouTube_Channel.ID

    An attempt to access a video on a specific channel on YouTube.

    44956

    YouTube_Comment.Posting

    An attempt to post comments on YouTube.

    31076

  6. On the test PC, log into YouTube and play some videos.
  7. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing YouTube videos.

    In this example, note the Application User and Application Details. Also note that the Application Control ID is 38569 showing that this entry was triggered by the application sensor YouTube_Video.Play.

  8. Go to Dashboard > Top Usage LAN/DMZ.
  9. In the Top Cloud Application by Bytes widget, double-click YouTube to drill down to view details.
  10. Select the Sessions tab to see all the entries for the videos played. Check the sessions for YouTube_Video.Play with the ID 38569.

Example of monitoring network traffic without SSL deep inspection

This is an example of monitoring network traffic for YouTube via FortiView cloud application view without SSL deep inspection.

To monitor network traffic without SSL deep inspection:
  1. Use a firewall policy with the following settings. If necessary, create a policy with these settings.
    • Application Control is enabled.
    • SSL Inspection is set to certificate-inspection.
    • Log Allowed Traffic is set to All Sessions.

  2. On the test PC, log into YouTube and play some videos.
  3. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing YouTube videos.

    In this example, the log shows only applications with the name YouTube. The log cannot show YouTube application sensors which rely on SSL deep inspection.

  4. Go to Dashboard > Top Usage LAN/DMZ and check the Top Cloud Application by Bytes widget.

    The Top Cloud Application by Bytes widget shows the YouTube cloud application without the video played information that requires SSL deep inspection.

  5. Double-click YouTube and select the Sessions tab.

    These sessions were triggered by the application sensor YouTube with the ID 31077. This is the application sensor with cloud behavior which does not rely on SSL deep inspection.

Cloud application view

To see different cloud application views, set up the following:

  • A FortiGate with a firewall policy that uses the Application Control security profile.
  • A FortiGate with log data from the local disk or FortiAnalyzer.
  • Optional but highly recommended: SSL Inspection set to deep-inspection in the related firewall policies.

Viewing cloud applications

Cloud applications

All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep information in the network packets.

To view cloud applications:
  1. Go to Security Profiles > Application Control.
  2. Edit a profile that is used by the firewall policy.
  3. On the Edit Application Sensor page, click View Application Signatures.

  4. On the top right of the Application Signature page, click Cloud to display all cloud signature based applications.

    Cloud applications have a cloud icon beside them.

    The lock icon indicates that that application requires SSL deep inspection.

  5. Hover over an item to see its details.

    This example shows the Gmail_Attachment.Download, a cloud application signature based sensor which requires SSL deep inspection. If any local network user behind the firewall logs into Gmail and downloads a Gmail attachment, that activity is logged.

Applications with cloud behavior

Applications with cloud behavior is a superset of cloud applications.

Some applications do not require SSL deep inspection, such as Facebook, Gmail, YouTube, and so on. This means that if any traffic trigger application sensors for these applications, there is a FortiView cloud application view for that traffic.

Other applications require SSL deep inspection, such as Gmail attachment, Facebook_Workplace, and so on.

To view applications with cloud behavior:
  1. On the Application Signature page, add the Behavior column if it is not already visible:
    1. Hover over the left of the table column headings to display the Configure Table icon.
    2. Click Configure Table and select Behavior.
    3. Click Apply.
  2. Click the Filter icon in the Behavior column and enter Cloud to filter by Cloud, then click Apply.

  3. The Application Signature page displays all applications with cloud behavior.

  4. Use the Search box to search for applications. For example, you can search for youtube.

  5. Hover over an item to see its details.

    This example shows an application sensor with no lock icon which means that this application sensor does not require SSL deep inspection. If any local network user behind the firewall tries to navigates the YouTube website, that activity is logged.

Configuring the Cloud Applications widget

On the Edit Application Sensor page in the Categories section, the icon besides a category means that category is monitored and logged.

To add the Cloud Applications widget:
  1. Go to Dashboard > Top Usage LAN/DMZ.
  2. Move the cursor to the bottom right, click the widget control icon and select Add Widget.
  3. Select FortiView Top N.
  4. In the FortiView dropdown list, select the LAN/DMZ tab and then select Cloud Applications.

  5. Click Add Widget.

  6. If SSL deep inspection is enabled in the related firewall policy, then the widget shows the additional details that are logged, such as Files (Up/Down) and Videos Played.

    For YouTube, the Videos Played column is triggered by the YouTube_Video.Play cloud application sensor. This shows the number of local network users who logged into YouTube and played YouTube videos.

    For Dropbox, the Files (Up/Down) column is triggered by Dropbox_File.Download and Dropbox_File.Upload cloud application sensors. This shows the number of local network users who logged into Dropbox and uploaded or downloaded files.

Using the Cloud Applications widget

To see additional information in the Cloud Applications widget:
  1. In the top right of the widget, click the Expand to full screen icon to see additional information.

  2. For details about a specific entry, double-click the entry or right-click the entry and select Drill Down to Details.

  3. To see all the sessions for an application, click Sessions.

    In this example, the Application Name column shows all applications related to YouTube.

  4. To view log details, double-click a session to display the Log Details pane.

    Sessions monitored by SSL deep inspection (in this example, Youtube_Video.Play) captured deep information such as Application User, Application Details, and so on. The Log Details pane also shows additional deep information such as application ID, Message, and so on.

    Sessions not monitored by SSL deep inspection (YouTube) did not capture the deep information.

  5. In the top right, click the Standalone FortiView page icon to see the page in standalone view.

  6. To display a specific time period, select and drag in the timeline graph to display only the data for that time period.

Cloud application view examples

Example of monitoring network traffic with SSL deep inspection

This is an example of monitoring network traffic for YouTube via FortiView cloud application view with SSL deep inspection.

To monitor network traffic with SSL deep inspection:
  1. Use a firewall policy with the following settings. If necessary, create a policy with these settings.
    • Application Control is enabled.
    • SSL Inspection is set to deep-inspection.
    • Log Allowed Traffic is set to All Sessions.

  2. Go to Security Profiles > Application Control.
  3. Select a relative Application Control profile used by the firewall policy and click View.
  4. Because YouTube cloud applications are categorized into Video/Audio, ensure the Video/Audio category is monitored.

  5. Click View Application Signatures and hover over YouTube cloud applications to view detailed information about YouTube application sensors.

    Application Signature

    Description

    Application ID

    YouTube_Video.Access

    An attempt to access a video on YouTube.

    16420

    YouTube_Video.Play

    An attempt to download and play a video from YouTube.

    38569

    YouTube_Video.Upload

    An attempt to upload a video to YouTube.

    22564

    YouTube

    An attempt to access YouTube.

    This application sensor does not depend on SSL deep inspection so it does not have a cloud or lock icon.

    31077

    YouTube_Channel.Access

    An attempt to access a video on a specific channel on YouTube.

    41598

    YouTube_Channel.ID

    An attempt to access a video on a specific channel on YouTube.

    44956

    YouTube_Comment.Posting

    An attempt to post comments on YouTube.

    31076

  6. On the test PC, log into YouTube and play some videos.
  7. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing YouTube videos.

    In this example, note the Application User and Application Details. Also note that the Application Control ID is 38569 showing that this entry was triggered by the application sensor YouTube_Video.Play.

  8. Go to Dashboard > Top Usage LAN/DMZ.
  9. In the Top Cloud Application by Bytes widget, double-click YouTube to drill down to view details.
  10. Select the Sessions tab to see all the entries for the videos played. Check the sessions for YouTube_Video.Play with the ID 38569.

Example of monitoring network traffic without SSL deep inspection

This is an example of monitoring network traffic for YouTube via FortiView cloud application view without SSL deep inspection.

To monitor network traffic without SSL deep inspection:
  1. Use a firewall policy with the following settings. If necessary, create a policy with these settings.
    • Application Control is enabled.
    • SSL Inspection is set to certificate-inspection.
    • Log Allowed Traffic is set to All Sessions.

  2. On the test PC, log into YouTube and play some videos.
  3. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing YouTube videos.

    In this example, the log shows only applications with the name YouTube. The log cannot show YouTube application sensors which rely on SSL deep inspection.

  4. Go to Dashboard > Top Usage LAN/DMZ and check the Top Cloud Application by Bytes widget.

    The Top Cloud Application by Bytes widget shows the YouTube cloud application without the video played information that requires SSL deep inspection.

  5. Double-click YouTube and select the Sessions tab.

    These sessions were triggered by the application sensor YouTube with the ID 31077. This is the application sensor with cloud behavior which does not rely on SSL deep inspection.