Fortinet black logo

Cookbook

Port enforcement check

Copy Link
Copy Doc ID 4e2e9371-e0d6-11ea-96b9-00505692583a:66882
Download PDF

Port enforcement check

Most networking applications run on specific ports. For example, SSH runs on port 22, and Facebook runs on ports 80 and 443.

If the default network service is enabled in the Application Control profile, a port enforcement check is done at the application profile level, and any detected application signatures running on the non-standard TCP/IP port are blocked. This means that each application allowed by the app control sensor is only run on its default port.

To set port enforcement check in the CLI:
config application list
    edit "default_port"
        set enforce-default-app-port {enable | disable}
            disable        Disable default application port enforcement.
            enable         Enable default application port enforcement.
        config entries
            edit 1
                set application 15896
                set action pass
            next
        end
    next
end

For example, when applying the above appctrl sensor, FTP traffic with the standard port (port 21) is allowed, while the non-standard port (port 2121) is blocked.

Port enforcement check

Most networking applications run on specific ports. For example, SSH runs on port 22, and Facebook runs on ports 80 and 443.

If the default network service is enabled in the Application Control profile, a port enforcement check is done at the application profile level, and any detected application signatures running on the non-standard TCP/IP port are blocked. This means that each application allowed by the app control sensor is only run on its default port.

To set port enforcement check in the CLI:
config application list
    edit "default_port"
        set enforce-default-app-port {enable | disable}
            disable        Disable default application port enforcement.
            enable         Enable default application port enforcement.
        config entries
            edit 1
                set application 15896
                set action pass
            next
        end
    next
end

For example, when applying the above appctrl sensor, FTP traffic with the standard port (port 21) is allowed, while the non-standard port (port 2121) is blocked.