Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Filters for application control groups in NGFW mode

    Filters for application control groups in NGFW mode

    When defining application groups in NGFW policy mode, the following group filters are now available: protocols, risk, vendor, technology, behavior, popularity, and category.

    config application group
    edit <name>
        set type filter
        set protocols <integer>
        set risk <integer>
        set vendor <id>
        set technology <id>
        set behavior <id>
        set popularity <integer>
        set category <id>
    next
end

    protocols <integer>

    Application protocol filter (0 - 47, or all).

    risk <integer>

    Risk or impact of allowing traffic from this application to occur (1 - 5; low (1), elevated (2), medium (3), high (4), and critical (5)).

    vendor <id>

    Application vendor filter (0 - 25, or all).

    technology <id>

    Application technology filter:

    • all

    • 0 (network-protocol)

    • 1 (browser-based)

    • 2 (client-server)

    • 4 (peer-to-peer)

    behavior <id>

    Application behavior filter:

    • all

    • 2 (botnet)

    • 3 (evasive)

    • 5 (excessive bandwidth)

    • 6 (tunneling)

    • 9 (cloud)

    popularity <integer>

    Application popularity filter (1 - 5, from least to most popular).

    category <id>

    Application category filter:

    • 2 (P2P)
    • 3 (VoIP)
    • 5 (video/audio)
    • 6 (proxy)
    • 7 (remote access)
    • 8 (game)
    • 12 (general interest)
    • 15 (network service)
    • 17 (update)
    • 21 (email)
    • 22 (storage backup)
    • 23 (social media)
    • 25 (web client)
    • 26 (industrial)
    • 28 (collaboration)
    • 29 (business)
    • 30 (cloud IT)
    • 31 (mobile)
    • 32 (unknown applications)

    Sample configurations

    In this example, a single filter (risk level 1) is configured in the application group, so only signatures matching this filter will match the security policy.

    To configure the application group:
    config application group
    edit "risk_1"
        set type filter
        set risk 1
    next
end
    To configure the security policy:
    config firewall security-policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set status enable
        set schedule "always"
        set enforce-default-app-port disable
        set service "ALL"
        set app-group risk_1
        set logtraffic all
    next
end

    In this example, the application group is configured so that only signatures matching both filters, category 5 (video/audio) and technology 1 (browser-based), will match the security policy. The application group can also be configured in a traffic shaping policy.

    To configure the application group:
    config application group
    edit "two"
        set type filter
        set category 5
        set technology 1
    next
 end
    To configure the security policy:
    config firewall security-policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set status enable
        set schedule "always"
        set enforce-default-app-port disable
        set service "ALL"
        set app-group two
        set logtraffic all
    next
end
    To configure the traffic shaping policy:
    config firewall shaping-policy
    edit 1 
        set ip-version 4
        set service "ALL"
        set app-group two
        set dstintf port1
        set traffic-shaper "max-100"
        set traffic-shaper-reverse "max-100"
        set srcaddr "all"
        set dstaddr "all"
    next
end
    Previous
    Next

    Filters for application control groups in NGFW mode

    Filters for application control groups in NGFW mode

    When defining application groups in NGFW policy mode, the following group filters are now available: protocols, risk, vendor, technology, behavior, popularity, and category.

    config application group
    edit <name>
        set type filter
        set protocols <integer>
        set risk <integer>
        set vendor <id>
        set technology <id>
        set behavior <id>
        set popularity <integer>
        set category <id>
    next
end

    protocols <integer>

    Application protocol filter (0 - 47, or all).

    risk <integer>

    Risk or impact of allowing traffic from this application to occur (1 - 5; low (1), elevated (2), medium (3), high (4), and critical (5)).

    vendor <id>

    Application vendor filter (0 - 25, or all).

    technology <id>

    Application technology filter:

    • all

    • 0 (network-protocol)

    • 1 (browser-based)

    • 2 (client-server)

    • 4 (peer-to-peer)

    behavior <id>

    Application behavior filter:

    • all

    • 2 (botnet)

    • 3 (evasive)

    • 5 (excessive bandwidth)

    • 6 (tunneling)

    • 9 (cloud)

    popularity <integer>

    Application popularity filter (1 - 5, from least to most popular).

    category <id>

    Application category filter:

    • 2 (P2P)
    • 3 (VoIP)
    • 5 (video/audio)
    • 6 (proxy)
    • 7 (remote access)
    • 8 (game)
    • 12 (general interest)
    • 15 (network service)
    • 17 (update)
    • 21 (email)
    • 22 (storage backup)
    • 23 (social media)
    • 25 (web client)
    • 26 (industrial)
    • 28 (collaboration)
    • 29 (business)
    • 30 (cloud IT)
    • 31 (mobile)
    • 32 (unknown applications)

    Sample configurations

    In this example, a single filter (risk level 1) is configured in the application group, so only signatures matching this filter will match the security policy.

    To configure the application group:
    config application group
    edit "risk_1"
        set type filter
        set risk 1
    next
end
    To configure the security policy:
    config firewall security-policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set status enable
        set schedule "always"
        set enforce-default-app-port disable
        set service "ALL"
        set app-group risk_1
        set logtraffic all
    next
end

    In this example, the application group is configured so that only signatures matching both filters, category 5 (video/audio) and technology 1 (browser-based), will match the security policy. The application group can also be configured in a traffic shaping policy.

    To configure the application group:
    config application group
    edit "two"
        set type filter
        set category 5
        set technology 1
    next
 end
    To configure the security policy:
    config firewall security-policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set status enable
        set schedule "always"
        set enforce-default-app-port disable
        set service "ALL"
        set app-group two
        set logtraffic all
    next
end
    To configure the traffic shaping policy:
    config firewall shaping-policy
    edit 1 
        set ip-version 4
        set service "ALL"
        set app-group two
        set dstintf port1
        set traffic-shaper "max-100"
        set traffic-shaper-reverse "max-100"
        set srcaddr "all"
        set dstaddr "all"
    next
end
    Previous
    Next