Application control examples

Application control examples

To help give a better understanding of how to implement Application Control and to give some ideas as to why it would be used, a number of examples of scenarios are included.

 

Blocking all instant messaging

Instant messaging use is not permitted at the Example Corporation. Application control helps enforce this policy. First you will create an application sensor with a single entry that includes all instant messaging applications. You will set the list action to block.

 

To create the application sensor

1. Go to Security Profiles > Application Control.

2. Select the Create New icon in the title bar of the Edit Application Sensor window.

3. In the Name field, enter no_IM for the application sensor name.

4. Left-click on the IM category.

5. From the dropdown select Block.

6. Select OK to save the new sensor. Next you will assign the sensor to a policy.

 

To enable application control and select the application sensor

1. Go to Policy & Objects > IPv4 Policy.

2. Select the security policy that allows the network users to access the Internet and choose Edit.

3. Under the heading Security Profiles toggle the button next to Application Control to turn it on.

4. In the drop down menu field next to the Application Control select the no_IM application sensor.

5. Select OK.

No IM use will be allowed by the security policy. If other firewall policies handle traffic that users could use for IM, enable application control with the no IM application sensor for those as well.

 

Allowing only software updates

Some departments at Example Corporation do not require access to the Internet to perform their duties. Management therefore decided to block their Internet access. Software updates quickly became an issue because automatic updates will not function without Internet access and manual application of updates is time- consuming.

The solution is configuring application control to allow only automatic software updates to access the Internet.

 

To create an application sensor — web-based manager

1. Go to Security Profiles > Application Control.

2. Select the Create New icon in the title bar of the Edit Application Sensor window.

3. In the Name field, enter Updates_Only as the application sensor name.

4. Using the left-click and drop down on the items in the Category lis..

a. Select Monitor from the dropdown menu.

b. Select Block for the rest of the categories.

5. Select OK.

 

To create an application sensor — CLI

config application list edit Updates_Only

config entries edit 1

set category 17 set action pass

end

set other-application-action block set unknown-application-action block

end

 

You will notice that there are some differences in the naming convention between the Web Based Interface and the CLI. For instance the Action in the CLI is “pass” and the Action in the Web Based Manager is “Monitor.

 

Selecting the application sensor in a security policy

An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

 

To select the application sensor in a security policy — web-based manager

1. Go to Policy & Objects > IPv4 Policy.

2. Select a policy.

3. Select the Edit icon.

4. Under the heading Security Profiles toggle the button next to Application Control to turn it on.

5. In the drop down menu field next to the Application Control select the Updates_only list.

6. Select OK.

 

To select the application sensor in a security policy — CLI

config firewall policy edit 1

set utm-status enable

set profile-protocol-options default set application-list Updates_Only

end

Traffic handled by the security policy you modified will be scanned for application traffic. Software updates are permitted and all other application traffic is blocked.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website