Fortinet black logo

New Features

Filters for application control groups in NGFW mode

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:269474
Download PDF

Filters for application control groups in NGFW mode

When defining application groups in NGFW policy mode, the following group filters are now available: protocols, risk, vendor, technology, behavior, popularity, and category.

config application group
    edit <name>
        set type filter
        set protocols <integer>
        set risk <integer>
        set vendor <id>
        set technology <id>
        set behavior <id>
        set popularity <integer>
        set category <id>
    next
end

protocols <integer>

Application protocol filter (0 - 47, or all).

risk <integer>

Risk or impact of allowing traffic from this application to occur (1 - 5; low (1), elevated (2), medium (3), high (4), and critical (5)).

vendor <id>

Application vendor filter (0 - 25, or all).

technology <id>

Application technology filter:

  • all

  • 0 (network-protocol)

  • 1 (browser-based)

  • 2 (client-server)

  • 4 (peer-to-peer)

behavior <id>

Application behavior filter:

  • all

  • 2 (botnet)

  • 3 (evasive)

  • 5 (excessive bandwidth)

  • 6 (tunneling)

  • 9 (cloud)

popularity <integer>

Application popularity filter (1 - 5, from least to most popular).

category <id>

Application category filter:

  • 2 (P2P)
  • 3 (VoIP)
  • 5 (video/audio)
  • 6 (proxy)
  • 7 (remote access)
  • 8 (game)
  • 12 (general interest)
  • 15 (network service)
  • 17 (update)
  • 21 (email)
  • 22 (storage backup)
  • 23 (social media)
  • 25 (web client)
  • 26 (industrial)
  • 28 (collaboration)
  • 29 (business)
  • 30 (cloud IT)
  • 31 (mobile)
  • 32 (unknown applications)

Sample configurations

In this example, a single filter (risk level 1) is configured in the application group, so only signatures matching this filter will match the security policy.

To configure the application group:
config application group
    edit "risk_1"
        set type filter
        set risk 1
    next
end
To configure the security policy:
config firewall security-policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set status enable
        set schedule "always"
        set enforce-default-app-port disable
        set service "ALL"
        set app-group risk_1
        set logtraffic all
    next
end

In this example, the application group is configured so that only signatures matching both filters, category 5 (video/audio) and technology 1 (browser-based), will match the security policy. The application group can also be configured in a traffic shaping policy.

To configure the application group:
config application group
    edit "two"
        set type filter
        set category 5
        set technology 1
    next
 end
To configure the security policy:
config firewall security-policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set status enable
        set schedule "always"
        set enforce-default-app-port disable
        set service "ALL"
        set app-group two
        set logtraffic all
    next
end
To configure the traffic shaping policy:
config firewall shaping-policy
    edit 1 
        set ip-version 4
        set service "ALL"
        set app-group two
        set dstintf port1
        set traffic-shaper "max-100"
        set traffic-shaper-reverse "max-100"
        set srcaddr "all"
        set dstaddr "all"
    next
end

Filters for application control groups in NGFW mode

When defining application groups in NGFW policy mode, the following group filters are now available: protocols, risk, vendor, technology, behavior, popularity, and category.

config application group
    edit <name>
        set type filter
        set protocols <integer>
        set risk <integer>
        set vendor <id>
        set technology <id>
        set behavior <id>
        set popularity <integer>
        set category <id>
    next
end

protocols <integer>

Application protocol filter (0 - 47, or all).

risk <integer>

Risk or impact of allowing traffic from this application to occur (1 - 5; low (1), elevated (2), medium (3), high (4), and critical (5)).

vendor <id>

Application vendor filter (0 - 25, or all).

technology <id>

Application technology filter:

  • all

  • 0 (network-protocol)

  • 1 (browser-based)

  • 2 (client-server)

  • 4 (peer-to-peer)

behavior <id>

Application behavior filter:

  • all

  • 2 (botnet)

  • 3 (evasive)

  • 5 (excessive bandwidth)

  • 6 (tunneling)

  • 9 (cloud)

popularity <integer>

Application popularity filter (1 - 5, from least to most popular).

category <id>

Application category filter:

  • 2 (P2P)
  • 3 (VoIP)
  • 5 (video/audio)
  • 6 (proxy)
  • 7 (remote access)
  • 8 (game)
  • 12 (general interest)
  • 15 (network service)
  • 17 (update)
  • 21 (email)
  • 22 (storage backup)
  • 23 (social media)
  • 25 (web client)
  • 26 (industrial)
  • 28 (collaboration)
  • 29 (business)
  • 30 (cloud IT)
  • 31 (mobile)
  • 32 (unknown applications)

Sample configurations

In this example, a single filter (risk level 1) is configured in the application group, so only signatures matching this filter will match the security policy.

To configure the application group:
config application group
    edit "risk_1"
        set type filter
        set risk 1
    next
end
To configure the security policy:
config firewall security-policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set status enable
        set schedule "always"
        set enforce-default-app-port disable
        set service "ALL"
        set app-group risk_1
        set logtraffic all
    next
end

In this example, the application group is configured so that only signatures matching both filters, category 5 (video/audio) and technology 1 (browser-based), will match the security policy. The application group can also be configured in a traffic shaping policy.

To configure the application group:
config application group
    edit "two"
        set type filter
        set category 5
        set technology 1
    next
 end
To configure the security policy:
config firewall security-policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set status enable
        set schedule "always"
        set enforce-default-app-port disable
        set service "ALL"
        set app-group two
        set logtraffic all
    next
end
To configure the traffic shaping policy:
config firewall shaping-policy
    edit 1 
        set ip-version 4
        set service "ALL"
        set app-group two
        set dstintf port1
        set traffic-shaper "max-100"
        set traffic-shaper-reverse "max-100"
        set srcaddr "all"
        set dstaddr "all"
    next
end