Application Control – Fortinet FortiGate

Application traffic shaping

You can apply traffic shaping for application list entries you configure to pass. Traffic shaping enables you to limit or guarantee the bandwidth available to the application or applications specified in an application list entry. You can also prioritize traffic by using traffic shaping.

You can create or edit traffic shapers by going to Firewall Objects > Traffic Shaper > Shared. Per-IP traffic shapers are not available for use in application traffic shaping.

Direction of traffic shaping

When Traffic Shaping is enabled the direction that traffic shaping will be applied must also be chosen.

Forward direction traffic shaping refers to the direction of the initial connection. This would be the direction described by the policy that the Application Control Sensor is assigned to. If the policy has an Incoming Interface of LAN and an Outgoing Interface of wan1 then any Forward Direction Traffic Shaping profile will apply to network traffic heading in that direction only. If the connection used by that policy involved a response that included a download of Gigabytes of traffic the shaper would not be applied to that traffic.

Reverse Direction Traffic Shaping is applied to traffic that is flowing in the opposite direction indicated by the direction of the policy. If the policy has an Incoming Interface of LAN and an Outgoing Interface of wan1 then the shaper would only be applied to the traffic that was coming from the wan1 interface to the LAN interface.

For example, if you find that your network bandwidth is being overwhelmed by streaming HTTP video, one solution is to limit the bandwidth by applying a traffic shaper to an application control entry that allows the HTTP.Video application. Your users access the Web using a security policy that allows HTTP traffic from the internal interface to the external interface. Firewall policies are required to initiate communication so even though web sites respond to requests, a policy to allow traffic from the external interface to the internal interface is not required for your users to access the Web. The internal to external policy allows them to open communication sessions to web servers, and the external servers can reply using the existing session.

If you enable Traffic Shaping and select the Forward Direction shaper in an application sensor specified in the security policy, the problem will continue. The reason is the shaper you select for T raffic Shaping is applied only to the application traffic moving in the direction stated in the security policy. In this case, that is from the internal interface to the external interface. The security policy allows the user to visit the web site and start the video, but the video itself is streamed from the server to the user, or from the external interface to the internal interface. This is the reverse of the direction specified in the security policy. To solve the problem, you must enable Reverse Direction Traffic Shaping and select the appropriate shaper.

Shaper re-use

Shapers are created independently of firewall policies and application sensors so you are free to reuse the same shapers in multiple list entries and policies. Shared shapers can be configured to apply separately to each security policy or across all policies. This means that if a shaper is configured to guaranteed 1000 KB/s bandwidth, each security policy using the shaper will have its own 1000 KB/s reserved, or all of the policies using the shaper will share a pool if 1000 KB/s, depending on how it is configured.

The same thing happens when a shaper is used in application sensors. If an application sensor using a shaper is applied to two separate policies, how the bandwidth is limited or guaranteed depends on whether the shaper is set to apply separately to each policy or across all policies. In fact, if a shaper is applied directly to one security policy, and it is also included in an application sensor that is applied to another security policy, the same issue occurs. How the bandwidth is limited or guaranteed depends on the shaper configuration.

If a shaper is used more than once within a single application sensor, all of the applications using the shaper are restricted to the maximum bandwidth or share the same guaranteed bandwidth.

For example, you want to limit the bandwidth used by Skype and Facebook chat to no more than 100 KB/s. Create a shaper, enable Maximum Bandwidth, and enter 100. Then create an application sensor with an entry for Skype and another entry for Facebook chat. Apply the shaper to each entry and select the application sensor in the security policy that allows your users to access both services.

This configuration uses the same shaper for each entry, so Skype and Facebook chat traffic are limited to no more than 100 KB/s in total. That is, traffic from both applications is added and the total is limited to 100 KB/s. If you want to limit Skype traffic to 100 KB/s and Facebook chat traffic to 100 KB/s, you must use separate shapers for each application control entry.

Application control monitor

The application monitor enables you to gain an insight into the applications generating traffic on your network. When monitor is enabled in an application sensor entry and the list is selected in a security policy, all the detected traffic required to populate the selected charts is logged to the SQL database on the FortiGate unit hard drive. The charts are available for display in the executive summary section of the log and report menu.

While the monitor charts are similar to the top application usage dashboard widget, it offers several advantages. The widget data is stored in memory so when you restart the FortiGate unit, the data is cleared. Application monitor data is stored on the hard drive and restarting the system does not affect old monitor data.

Application monitor allows you to choose to compile data for any or all of three charts: top ten applications by bandwidth use, top ten media users by bandwidth, and top ten P2P users by bandwidth. Further, there is a chart of each type for the traffic handled by each security policy with application monitor enabled. The top application usage dashboard widget shows only the bandwidth used by the top applications since the last system restart.

Application Control monitor

Once you have configured application control and associated the sensors with firewall policies, you can monitor the results. The applications that will be reported on the ones that are included in sensors that are assigned to firewall policies.

Security Profile > Monitor > Application Monitor.

Here you will find some widgets that include charts:

  • Top Applications by Bandwidth
  • Top Applications by Session Count
  • Top IP/User for <application>

The number of “Top” can be set to the value of 5, 10 or 15 on any of these widgets.

Enable application control

Application control examines your network traffic for traffic generated by the applications you want it to control.

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create an application sensor.
  2. Configure the sensor to include the signatures for the application traffic you want the FortiGate unit to detect. Configure each entry to allow or pass the traffic.
  3. Enable application control in a security policy and select the application sensor.

Creating an application sensor

You need to create an application sensor before you can enable application control.

To create an application sensor

  1. Go to Security Profiles > Application Control > Application Sensor.
  2. Select the Create New icon in the title bar of the Edit Application Sensor
  3. In the Name field, enter the name of the new application sensor.
  4. Optionally, you may also enter a comment.
  5. Select OK.

The application sensor is created and the sensor configuration window appears. A newly created application sensor is empty. Without applications, the application sensor will have no effect.

Adding applications to an application sensor

Once you have created an application sensor, you need to need to define the applications that you want to control.

You can add applications using application entries and application filters. Entries allow you to choose individual applications. Filters allow you to choose application attributes and all the applications with matching attributes are included in the filter.

The sequence of the entries in the table is significant. The entries are checked against the traffic in sequence, from top to bottom. If a match is found and the action is Block or Reset, the action is performed and further checking is stopped. If the action is Monitor the traffic is checked against all of the signatures in the sensor and the best match to the signature is the one that is logged.

To add an application entry to an application sensor

  1. Go to Security Profiles > Application Control > Application Sensors.
  2. Select an application sensor from the drop-down list in the Edit Application Sensor window title bar.
  3. Select the Create New icon in the sensor area and this will bring up a new window entitled New Application Filter.
  4. Choose the format of the filter. There are two types of entries that can be added to a sensor. The type of entry is detemined by the selection of the sensor type. The choices are either Filter Based or Specify Applications.
    • Filter Based

This option is for choosing groups of similar applications based on the filters of Category, Popularity, Technology and Risk. Once the parameters of the 4 filter types have been chosen every application that falls in to that filtered list will be included in the list that the Application Control engine will use to filter the network traffic.

  • Specify Applications

This option is good for a more granular approach to picking appliction to be filtered. It will allow for the use of the same filters that were used in the Filter Based option to develop a list of applications to be filtered but the Specify Applications option can be selective of which applications in that list are actually filtered. They are selected individually.

The difference in the Web-based Manager, when alternating between the Sensor Types, is that when the Filter Based option is chosen the Filter Options section will appear by default. If the Specify Applications sensor type is chosen you can click on the [Filter Options] link to make it appear and use it to narrow down the list of possible applications but it does not show up by default. The other difference is that with the Specify Applications option you are given an additional field at the top of the Application List that allow you to type out the name of an application to search for it in that manner.

To use the search field, located above the application list, start typing any portion of the application name. The mail list of application will adjust accordingly.

  1. Narrow down the list of applications to be filtered. This will depend a little on which Sensor Type was chosen. If the Filter Based option was chosen, by default, the top section of the window will show the properties by which the list of application filters can be filtered into a more managable list. These properties are broken into 4 sections representing the properties of Category, Popularity, Technology and Risk. Between the property filter section and the Action section of the window there is a listing of the individual application filters that have been configured into the appliance.

Each of these individual application filters is assigned values in each of the 4 properties. The values that can be assigned to these properties are listed in the 4 sections. By enabling the check boxes next to the propterties in the sections the list can be narrowed down until it only includes the subset of the individual application filters that you wish to make up the sensor entry or Application Filter.

When choosing a property, if the specific value is unknown do not disable the property section as this will cause the list of individual application filters to be empty.

The properties have been broken down into the following sections: a. Category

These are the types of application that are available to filter by:

Table 10:Property Values listed in Category section along with ID#

Category Name Category ID#
Botnet 19
eMail 21
File.Sharing 24
Game 8
General.Interest 12
IM 1
Media 5
Network.Service 15
P2P 2
Proxy 6
Remote.Access 7
Social.Networking 23
Storage.Backup 22
Update 17
VoIP 3
Web.Surfing 25

 

there is also a category designation reserved for future use.

These categories should cover the bulk of application based network traffic. If you wanted to disallow the use of Peer to Peer (P2P) applications because you didn’t want your users tieing up your bandwidth with torrent downloads you would select the P2P category and set the Action to Block

  1. Popularity

Popularity is broken down into 5 levels of popularity represented by stars. 5 stars representing the most popular applications and 1 star representing applications that are the least popular. The Popularity property works well when trying to narrow down the list of one of the categories. Using the previous category example of P2P traffic but you wanted to monitor the activity of the most popular applications, which numbers about 30 as opposed to over 100, you would choose P2P from Category and the 5 star popularity. c. Technology

Technology is broken down into 3 technology models as well as the more basic Network-Protocol which would can be used as a catch all for anything not covered by the more narrowly defined technologies of:

  • Browser-Based
  • Client-Server
  • Peer -to-Peer
  1. Risk

The Risk property does not indicate the level of risk but the type of impact that is likely to occur by allowing the traffic from that application to occur. The Risk list is broken down into the following

  • Botnet
  • Excessive-Bandwidth
  • None
  1. Pick the individual applications if using the Specify Applications Sensor type.

From the list of possible applications highlight the application by selecting the application.If you choose an application in error you can unhighlight or desellect the application by clicking on it again.

If the Filter Based sensor type is being used this will not be an option.

  1. Select the Action the FortiGate unit will take when it detects network traffic from the application:
    • Monitor allows the application traffic to flow normally and log all occurrences.

If you set the action to Monitor, you have the option of enabling traffic shaping for the application or applications specified in this application list entry. For more information about application control traffic shaping, see “Enabling application traffic shaping” on  page 152

  • Block will stop all traffic from the application and log all occurrences.
  • Reset will reset the network connection on the session that the specified application traffic was detected on.
  • Traffic Shaping will allow a Traffic Shaping profile to be applied to the applicatin traffic that triggered the sensor.

Choosing the Traffic shaping action will cause to appear the secondary options of:

  • Forward Direction Traffic Shaping with a checkbox
  • Reverse Direction Traffic Shaping with a checkbox

If the checkbox is enable for these options a dropdown menu will appear next to that option that will allow you to choose one of the existing Traffic Shaping profiles. If you are going to want to use Traffic Shaping as an action in Application Control it is best to set up any of the Traffic Shaping profiles that you will want in advance.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.