Working with other FortiOS components

Working with other FortiOS components

Application Control is not just a modulal that is inserted in to the OS and works independantly of all of the other components.

 

WAN Optimization

There is a feature that enables both IPS and Application Control on both non-HTTP WANOpt traffic and HTTP- tunneled traffic through HTTP CONNECT. The basic idea is that it hooks a scan connection to a port so that traffic will be redirected to the IPS engine before forwarding to a different module.

 

Application control monitor

The application monitor enables you to gain an insight into the applications generating traffic on your network. When monitor is enabled in an application sensor entry and the list is selected in a security policy, all the detected traffic required to populate the selected charts is logged to the SQL database on the FortiGate unit hard drive.

The charts are available for display in the executive summary section of the log and report menu.

Because the application monitor relies on a SQL database, the feature is available only on FortiGate units with an internal hard drive.

While the monitor charts are similar to the top application usage dashboard widget, it offers several advantages. The widget data is stored in memory so when you restart the FortiGate unit, the data is cleared. Application monitor data is stored on the hard drive and restarting the system does not affect old monitor data.

Application monitor allows you to choose to compile data for any or all of three charts: top ten applications by bandwidth use, top ten media users by bandwidth, and top ten P2P users by bandwidth. Further, there is a chart of each type for the traffic handled by each security policy with application monitor enabled. The top application usage dashboard widget shows only the bandwidth used by the top applications since the last system restart.

 

Enable application control

Application control examines your network traffic for traffic generated by the applications you want it to control.

 

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Create an application sensor.

2. Configure the sensor to include the signatures for the application traffic you want the FortiGate unit to detect.

3. Enable any other applicable options.

4. Enable application control in a security policy and select the application sensor.

 

Creating an application sensor

You need to create an application sensor before you can enable application control.

 

To create an application sensor

1. Go to Security Profiles > Application Control.

2. Select the Create New icon in the title bar of the Edit Application Sensor window.

3. In the Name field, enter the name of the new application sensor.

4. Optionally, you may also enter a comment.

 

Adding applications to an application sensor

Once you have created an application sensor, you need to need to define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides. Categories will allow you to choose groups of signatures based on a category type. Application overrides allow you to choose individual applications. Filter overrides allow you to select groups of applications and override the application signature settings for them.

 

To add a category of signatures to the sensor.

1. Go to Security Profiles > Application Control.

2. Under Categories, you may select from the following:

  • Botnet
  • Business
  • Cloud.IT
  • Collaboration
  • Email
  • Game
  • General.Interest
  • Mobile
  • Network.Service
  • P2P
  • Proxy
  • Remote.Access
  • Social.Media
  • Storage.Backup
  • Update
  • Video/Audio
  • VoIP
  • Web.Clients
  • Unknown Applications

 

When selecting the category that you intend to work with, left click on the icon next to the category name to produce a drop down menu that includes:

  • Allow
  • Monitor
  • Block
  • Quarantine
  • View Signatures

3. If you wish to add individual applications, select Add Signatures under Application Overrides.

a. Use the Add Filter search field to narrow down the list of possible signatures by a series of attributes.

b. When finished, select Use Selected Signatures.

4. If you wish to add advanced filters, select Add Filter under Filter Overrides.

a. Use the Add Filter search field to narrow down the list of possible filters by a series of attributes.

b. When finished, select Use Filters.

4. Select, if applicable, from the following options:

  • Allow and Log DNS Traffic
  • Replacement Messages for HTTP-based Applications

6. Select OK.

There is a disabled category called Industrial. This category is disabled by default, however it can be applied through use of the CLI command below. Note that none will mean no signatures are excluded, and that industrial will exclude all industrial signatures.

 

CLI Syntax

config ips global

set exclude-signatures [none | industrial]

end

 

Creating a New Custom Application Signature

If you have to deal with an application that is not already in the Application List you have the option to create a new one.

1. Go to Security Profiles > Application Control.

2. Select the link in the upper right corner, [View Application Signatures]

3. Select the Create New icon

4. Give the new signature a name (no spaces) in the Name field.

5. Enter a brief description in the Comments field

6. Enter the text for the signature in the signature field. Use the rules found in the Custom IPS signature chapter to determine syntax.

7. Select OK.

 

You can configure rate based application control signatures in the CLI Console using similar IPS signature rate CLI commands.

For more information on this and the CLI syntax, see IPS signature rate count threshold on page 2169

 

Messages in response to blocked applications

Once an Application Control sensor has been configured to block a specified application and applied to a policy it would seem inevitable that at some point an application will end up getting blocked, even if it is only to test the functionality of the control. When this happens, the sensor can be set to either display a message to offending user or to just block without any notification. The default setting is to display a message. Setting this up is done in the CLI.

config application list

edit <name of the sensor>

set app-replacemsg {enable | disable}

end

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.