Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.5 Administration Guide
    7.6.5
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Application matching signature priority

    Application matching signature priority

    Many applications will match more than one application control signature. When attempting to match a signature to the application traffic, FortiGate evaluates several factors and selects a signature based on the following tie breakers:

    1. Segments are considered in sequential order. The order of the applications within the segment does not matter.

      Segments are groupings of applications and protocols that are all evaluated at the same time for the best match. The default segment is defined by the Category section. Additional segments may be defined using the Application and Filter Overrides section. In the CLI these segments are called entries.

    2. Custom signatures take precedence over FortiGuard signatures.

    3. The signature with the most pre/post-match signature actions is preferred.

      For example,one signature could have a lot of the --deep_ctrl option (used for pattern matching) and each one would increment the post-match counter. Similarly, options like --quiet are considered a pre-match action that would suppress logging of the match. See Creating IPS and application control signatures for more attributes.

    4. The application weight.

      For predefined signatures, the weight is defined by FortiGuard signature analysts and is not configurable. Generally, more specific application signatures will have a higher weight than more broad protocol signatures. Not all application signature types (such as protocols) have the same weight.

    5. Signature visibility options. Non-hidden signatures are preferred.

      A signature could have hidden visibility if it is a beta or test signature that is still under false-positive detection evaluation, marked --quiet, or a built-in protocol dissector/peer-to-peer rule.

    6. Pattern counts.

      A comparison between signature --pattern and --pcre count. The signature with more of them is preferred.

    7. ID comparison.

      A comparison between signature IDs. Select the one with a larger, and therefore most likely newer, ID.

    Application weight is used the most often to decide the match. To see the weight of applications and protocols, use the get application name status command.

    The following examples use grep to find specific applications by name. The -A flag is used to include a specific number of lines after the match is found.

    # get application name status | grep -A10 "app-name: \"Facebook\""
app-name: "Facebook"
id: 15832
category: "Social.Media"
cat-id: 23
popularity: 5.low
risk: 3.low
weight: 10
shaping: 0
protocol: 1.TCP, 9.HTTP, 2.UDP, 26.SSL
vendor: 3.Meta
technology: 1.Browser-Based

    # get application name status | grep -A10 "app-name: \"SSL\""
app-name: "SSL"
id: 15895
category: "Network.Service"
cat-id: 15
popularity: 5.low
risk: 2.high
weight: 1
shaping: 0
protocol: 1.TCP, 26.SSL
vendor: 0.Other
technology: 0.Network-Protocol

    Finding the applications belonging to an application category

    When you have an application category and you want to find the matching applications, use the following command to list the applications filtered by the category name: 

    # get application name status | grep 'category: "Email"' -B2
app-name: "1und1.Mail"
id: 29025
category: "Email"
--
app-name: "126.Mail"
id: 16554
category: "Email"
--
app-name: "AIM.Webmail"
id: 15819
category: "Email"
--
....

    If you only have the application category ID, you can use the following command to list the applications:

    # get application name status | grep 'cat-id: 21' -B3
app-name: "1und1.Mail"
id: 29025
category: "Email"
cat-id: 21
--
app-name: "126.Mail"
id: 16554
category: "Email"
cat-id: 21
--
app-name: "AIM.Webmail"
id: 15819
category: "Email"
cat-id: 21
--
...
    Previous
    Next

    Application matching signature priority

    Application matching signature priority

    Many applications will match more than one application control signature. When attempting to match a signature to the application traffic, FortiGate evaluates several factors and selects a signature based on the following tie breakers:

    1. Segments are considered in sequential order. The order of the applications within the segment does not matter.

      Segments are groupings of applications and protocols that are all evaluated at the same time for the best match. The default segment is defined by the Category section. Additional segments may be defined using the Application and Filter Overrides section. In the CLI these segments are called entries.

    2. Custom signatures take precedence over FortiGuard signatures.

    3. The signature with the most pre/post-match signature actions is preferred.

      For example,one signature could have a lot of the --deep_ctrl option (used for pattern matching) and each one would increment the post-match counter. Similarly, options like --quiet are considered a pre-match action that would suppress logging of the match. See Creating IPS and application control signatures for more attributes.

    4. The application weight.

      For predefined signatures, the weight is defined by FortiGuard signature analysts and is not configurable. Generally, more specific application signatures will have a higher weight than more broad protocol signatures. Not all application signature types (such as protocols) have the same weight.

    5. Signature visibility options. Non-hidden signatures are preferred.

      A signature could have hidden visibility if it is a beta or test signature that is still under false-positive detection evaluation, marked --quiet, or a built-in protocol dissector/peer-to-peer rule.

    6. Pattern counts.

      A comparison between signature --pattern and --pcre count. The signature with more of them is preferred.

    7. ID comparison.

      A comparison between signature IDs. Select the one with a larger, and therefore most likely newer, ID.

    Application weight is used the most often to decide the match. To see the weight of applications and protocols, use the get application name status command.

    The following examples use grep to find specific applications by name. The -A flag is used to include a specific number of lines after the match is found.

    # get application name status | grep -A10 "app-name: \"Facebook\""
app-name: "Facebook"
id: 15832
category: "Social.Media"
cat-id: 23
popularity: 5.low
risk: 3.low
weight: 10
shaping: 0
protocol: 1.TCP, 9.HTTP, 2.UDP, 26.SSL
vendor: 3.Meta
technology: 1.Browser-Based

    # get application name status | grep -A10 "app-name: \"SSL\""
app-name: "SSL"
id: 15895
category: "Network.Service"
cat-id: 15
popularity: 5.low
risk: 2.high
weight: 1
shaping: 0
protocol: 1.TCP, 26.SSL
vendor: 0.Other
technology: 0.Network-Protocol

    Finding the applications belonging to an application category

    When you have an application category and you want to find the matching applications, use the following command to list the applications filtered by the category name: 

    # get application name status | grep 'category: "Email"' -B2
app-name: "1und1.Mail"
id: 29025
category: "Email"
--
app-name: "126.Mail"
id: 16554
category: "Email"
--
app-name: "AIM.Webmail"
id: 15819
category: "Email"
--
....

    If you only have the application category ID, you can use the following command to list the applications:

    # get application name status | grep 'cat-id: 21' -B3
app-name: "1und1.Mail"
id: 29025
category: "Email"
cat-id: 21
--
app-name: "126.Mail"
id: 16554
category: "Email"
cat-id: 21
--
app-name: "AIM.Webmail"
id: 15819
category: "Email"
cat-id: 21
--
...
    Previous
    Next