Fortinet black logo

Administration Guide

Home FortiProxy 7.4.1 Administration Guide
7.4.1
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

Create or edit a default network service

Create or edit a default network service

Protocol enforcement allows you to configure networking services (e.g. FTP, HTTP, HTTPS) on known ports (e.g. 21, 80, 443). For protocols that are not allowlisted under select ports, the IPS engine performs the violation action to block, allow, or monitor that traffic.

This feature can be used in the following scenarios:

  • When one protocol dissector confirms the service of network traffic, protocol enforcement can check whether the confirmed service is allowlisted under the server port. If it is not allowlisted, the traffic is considered a violation and IPS can take the action specified in the configuration (block or monitor it).

  • When there is no confirmed service for the network traffic, the traffic is considered a service violation if IPS dissectors rule out all of the services enforced under its server port.

In an applicable profile, a default-network-service list can be created to associate well known ports with accepted services.

Default network services can be added or edited, as required.

To create a default network service:

  1. Go to Security Profiles > Application Control.

  2. Click Create New or select an application sensor and then click Edit.

  3. Enable Network Protocol Enforcement.

  4. In the Network Protocol Enforcement section, select Create New.

  5. Enter a port number.

  6. Enter one or more protocols to allow on the specified port.

  7. Select to block or monitor protocols that are not specified in the Enforce protocols field.

  8. Click OK.

To edit a default network service:

  1. Go to Security Profiles > Application Control.

  2. Click Create New or select an application sensor and then click Edit.

  3. Enable Network Protocol Enforcement.

  4. Select the default network service that you want to edit and then click Edit from the toolbar. The Edit Default Network Service window opens.

  5. Edit the information as required and then click OK to apply your changes.

Previous
Next

Create or edit a default network service

Protocol enforcement allows you to configure networking services (e.g. FTP, HTTP, HTTPS) on known ports (e.g. 21, 80, 443). For protocols that are not allowlisted under select ports, the IPS engine performs the violation action to block, allow, or monitor that traffic.

This feature can be used in the following scenarios:

  • When one protocol dissector confirms the service of network traffic, protocol enforcement can check whether the confirmed service is allowlisted under the server port. If it is not allowlisted, the traffic is considered a violation and IPS can take the action specified in the configuration (block or monitor it).

  • When there is no confirmed service for the network traffic, the traffic is considered a service violation if IPS dissectors rule out all of the services enforced under its server port.

In an applicable profile, a default-network-service list can be created to associate well known ports with accepted services.

Default network services can be added or edited, as required.

To create a default network service:

  1. Go to Security Profiles > Application Control.

  2. Click Create New or select an application sensor and then click Edit.

  3. Enable Network Protocol Enforcement.

  4. In the Network Protocol Enforcement section, select Create New.

  5. Enter a port number.

  6. Enter one or more protocols to allow on the specified port.

  7. Select to block or monitor protocols that are not specified in the Enforce protocols field.

  8. Click OK.

To edit a default network service:

  1. Go to Security Profiles > Application Control.

  2. Click Create New or select an application sensor and then click Edit.

  3. Enable Network Protocol Enforcement.

  4. Select the default network service that you want to edit and then click Edit from the toolbar. The Edit Default Network Service window opens.

  5. Edit the information as required and then click OK to apply your changes.

Previous
Next