FortiWLC – Application Visibility (DPI)

Application Visibility (DPI)

You can monitor and/or block specific application traffic in your network. FortiWLC (SD) can monitor and restrict access applications/services, as listed in the Configuration > Access Control > Application

Limitations and Recommendations
  • To export DPI status to an FortiWLM server, the export destination port must be set to 4739.
  • If the total number of ESS profiles and the total number APs in the controller are the maximum allowed, then a policy cannot be created. When configuring each policy:
  • The total number of ESS that can be applied to is 64. Tip: To support this maximum, ensure that an ESS name is 15 characters or less.
  • The total number APs that can be applied are 186. To support this maximum, the AP IDs need to between the 1 to 500 AP ID range. Tip: to maximize the coverage of APs, you can create AP groups and use this instead of listing individual APs.
  • Bittorent downloads can be monitored but cannot be blocked.
  • In a custom app, Bittorent traffic cannot be monitored or blocked.
  • Advanced detection of sub-protocol traffic is a resource intensive task, so we recommend that you use it in moderation.
  • It is recommended that you do not delete custom application (under the Settings > Custom Application tab in Application). Deleting a custom application can result in incorrect status display of top 10 applications in the dashboard.
  • A custom application is by default monitored even if it is not mapped to a policy. But for it to be blocked, it must be added to a policy
  • Setting up application monitoring or blocking requires you to enable DPI and creating appropriate policies.

To set up and use the application monitoring:

  1. Enable Application Visibility
  2. Create Policies
  3. Associate system defined and/or custom applications to policies
Enable Application Visibility

To enable DPI, go to Configuration > Applications > Settings tab

  1. Select ON for Enable Application Classification. This is a global settings and enables DPI on all APs.
  2. Export Interval is a non-configurable field that set at 90 seconds.
  3. Export Destination: Specify or edit (if automatically pushed by Network Manager) the IP address of the correct Network Manager server. This is used to export stats to Network Manager server
  4. To export values to Fortinet Network Manager, select Enable Netflow Export and specify the Fortinet Network Manger server IP (Export Destination).
Creating a Policy

You can create policies to monitor and block one or more application traffic. This can be done for one of the following condition:

  • All ESS profiles
  • Per ESS profile
  • All APs
  • Per AP
  • Per AP Group
  • ESS and AP Combination
Example

The following screen-shots illustrate the procedure to create a policy to block Yelp traffic by clients that are connected to sdpi-832-t ESS profile via AP-3.

  1. Click the ADD button to view application lists
  2. Select the application from the list and click ADD button
  3. Select Block from the dropdown list and click SAVE button
List of policies
  • Policy: The status of the policy
  • Advanced Detection: Select enable to view sub-protocols for a system defined application and protocols.
  • Application ID List: List of system defined application and /or custom applications that are blocked or monitored by the policy. Blocked applications are shown in red colour and applications that are only monitored are shown in green colour.
  • ESSID List: The name of the ESS profile configured for this policy. Clients that connect using this ESSID profile and accessing the monitored application.
  • AP Groups or APs: The list of APs that are configured for this policy. Clients that connected via these APs or AP groups and accessing the monitored application.
  • Owner: The owner is either controller or NMS. If the policy is created in the controller the owner is listed as controller.
  • Search: To locate a specific policy by Name, AP, ESS, or owner, enter the keyword in the search box and hit the Enter key. This will highlight the corresponding row that matches the keyword. To filter the display based on Status, select the status (from the dropdown) to highlight the corresponding rows.
  • Policy Reordering: Policies are executed in the order they are displayed. To reorder policy priority, click the Reorder button and use the arrows in the action column to move them up or down the listing order. You must save this for the reorder changes to take effect.

In the following illustration, the ESSID MTS and APID AP-8 appear in both corporate-1 and corporate-2 policies. The corporate-1 policy allows Facebook traffic and corporate-2 blocks Facebook traffic. Since corporate-1 is higher in the order than corporate-2, Facebook will be allowed and not blocked. However, for AP-10 Facebook will be blocked as per corporate-2 policy.

Custom Applications

Custom applications are user-defined applications that are not part of the system defined applications. You can add a maximum of 32 applications in the controller and a maximum of 32 applications on Network Manager.

A custom application is a combination of one or more of the following:

  • Predefined L4 and L7 protocols
  • Source and/or Destination Ports
  • User Agents
  • Any HTTP/HTTPS URL
  • Destination IP
Creating a Custom Application and assigning it to a Policy
  1. To create a custom application, go to Application > Settings > Custom Applications and click the Add
  2. Enter properties for the custom application and click Save. In this simple example, traffic from www.bbc.com will be monitored.
  3. Add custom application to a policy. Use the same steps mentioned in See “Example” on page 408. But in the sub-step 4 of the figure, scroll down to very end to location the custom application. Select the custom application and then select policy setting.
DPI Dashboard

The DPI dashboard shows applications that are configured for monitoring (detect) only. Applications that are blocked are not displayed in the dashboard as they are dropped by the AP.

  1. The graph displays a pie chart with the top 10 applications (by usage) that are monitored.
  2. The list of top 10 stations that are connected to one or more of the top 10 applications. This does not represent the usage of a specific application by the station.
  3. List of APs that are passing traffic for one or more of the top 10 applications
  4. List of ESS profiles that are passing traffic for one or more of the top 10 applications
  5. This table lists the top 10 application and displays numerical (integer) statistics about number of stations, ESS profiles, APs and traffic size in bytes.
  6. This table shows historical data for application traffic in the last 24 hours.
Using CLI
Creating a Policy
  1. In the config mode, use the app‐visibility‐policy <policy‐name> command.
  2. Enable the status using the state enable command
  3. Specify the application id and the policy type using appids <application‐ID>:<type> Use A, to allow and monitor the traffic usage
  • Use B, to block traffic.
  1. In a single policy you can add rules to monitor and block application traffic.

mc1500(15)(config)# app‐visibility‐policy  CorpNet mc1500(15)(config‐app‐visibility‐policy)# description  “” mc1500(15)(config‐app‐visibility‐policy)# state  enable mc1500(15)(config‐app‐visibility‐policy)# appids  6:B mc1500(15)(config‐app‐visibility‐policy)# essids  stability mc1500(15)(config‐app‐visibility‐policy)# apids  “5:A” mc1500(15)(config‐app‐visibility‐policy)# owner  controller mc1500(15)(config‐app‐visibility‐policy)# version  0 mc1500(15)(config‐app‐visibility‐policy)# exit

To View the list of policies and type configured for a specific AP, use the show applicationvisibility policy‐config‐service <app‐id> command.

mc1500(15)# show application‐visibility policy‐config‐service 5

AP      ESSID           APPID           Action

5       1               2               Allow

5       1               5               Allow

5       1               6               Block

5       1               8               Allow

5       1               24              Allow

5       1               32              Allow

5       1               41              Allow

5       1               70              Allow

        Application Visibility Policy Service(8)

Legends

Figure 71: DPI Config Option Legends

Label                                                                 Description

  • When used for an application, it means to allow, detect, and monitor the application traffic.
  • Used to detect and block the application traffic

A                  When use as an AP-ID, refers to adding an individual AP.

L                  Used to add an ap-group to a policy.

Monitoring Policies

mc1500(15)# sh service‐summary Application‐Visibility

Feature                 Type            Name                    Value   ValueStr

Application‐Visibility  Application     myspace                 100     {“util”:3006.76,”tx”:6943001576,”rx”:257651566}

Application‐Visibility  Application     amazon_cloud            0       {“util”:474.84,”tx”:1093389603,”rx”:43774451}

Application‐Visibility  Application     facebook                0       {“util”:184.00,”tx”:421673492,”rx”:18973696}

Application‐Visibility  Application     twitter                 0       {“util”:164.58,”tx”:358628579,”rx”:35513363}

Application‐Visibility  Application     unknown                 0       {“util”:97.92,”tx”:221291109,”rx”:13202213}

Application‐Visibility  Application     amazon_shop             0       {“util”:77.81,”tx”:162324404,”rx”:24026568}

Application‐Visibility  Application     linkedin                0      

{“util”:48.60,”tx”:109814218,”rx”:6565367}

Application‐Visibility  Application     youtube                 0       {“util”:

1.34,”tx”:2910287,”rx”:292302}

Application‐Visibility  Station         58:94:6b:b5:ca:c4       100     {“util”:591.86,”tx”:1364192275,”rx”:53208638}

Application‐Visibility  Station         00:27:10:cb:90:40       0       {“util”:571.51,”tx”:1317000065,”rx”:51657115}

Application‐Visibility  Station         10:0b:a9:44:f6:ac       0      

{“util”:297.04,”tx”:681777356,”rx”:29579769}

Application‐Visibility  Station         24:77:03:80:4c:60       0       {“util”:294.30,”tx”:676177538,”rx”:28620457}

Application‐Visibility  Station         84:3a:4b:48:1e:c0       0       {“util”:291.67,”tx”:668985331,”rx”:29513381}

Application‐Visibility  Station         24:77:03:80:2e:48       0       {“util”:287.46,”tx”:660217415,”rx”:28188180}

Application‐Visibility  Station         08:11:96:7d:cf:80       0       {“util”:286.78,”tx”:657504303,”rx”:29271859}

Application‐Visibility  Station         24:77:03:80:a4:40       0       {“util”:281.94,”tx”:646183947,”rx”:29009375}

Application‐Visibility  Station         24:77:03:80:5f:54       0       {“util”:280.23,”tx”:645624714,”rx”:25475052}

Application‐Visibility  Station         24:77:03:85:b4:50       0       {“util”:279.89,”tx”:641592459,”rx”:28689908}

Application‐Visibility  EssId           stability               100     {“util”:4055.84,”tx”:9313033268,”rx”:399999526}

Application‐Visibility  AP              AP‐109                  100     {“util”:4055.84,”tx”:9313033268,”rx”:399999526}         Service Data Summary(20 entries) mc1500(15)# sh ap

ap                      ap‐certificate          ap‐discovered           ap‐onlinehistory       ap‐reboot‐event         ap‐redirect             applicationvisibility

ap‐assigned             ap‐connectivity         ap‐neighbor             ap‐rebootcount         ap‐reboot‐top10         ap‐swap mc1500(15)# sh application‐visibility application‐summary

APPID           Name                    Station Counts  AP Counts       ESS Counts      Tx Bytes        Rx Bytes        TxRx Bytes

5               myspace                 12              1               1               7274981850      269918317       7544900167

24              amazon_cloud            13              1               1               1149026229      45994062        1195020291

2               facebook                13              1               1               443832821       19962877        463795698

8               twitter                 13              1               1               375850987       37259491        413110478

0               unknown                 20              1               1               233565871       13899667        247465538

70              amazon_shop             13              1               1               170637983       25318821        195956804

41              linkedin                12              1               1               115430025       6896689         122326714

32              youtube                 13              1               1               3022484         304784          3327268         Application Visibility Statistics Summary(8) mc1500(15)#

mc1500(15)# sh service‐summary‐trend Application‐Visibility

Feature                 Type            Name                    StartTime           

EndTime              Value     ValueStr

Application‐Visibility  Application     myspace                 01/17/2009

01:00:00  01/17/2009 02:00:00  370191907

{“util”:254501.59,”tx”:3561906268,”rx”:140012805}

Application‐Visibility  Application     amazon_cloud            01/17/2009

01:00:00  01/17/2009 02:00:00  523131985

{“util”:35964.57,”tx”:502700232,”rx”:20431753}

Application‐Visibility  Application     twitter                 01/17/2009

01:00:00  01/17/2009 02:00:00  221967525

{“util”:15259.95,”tx”:202733592,”rx”:19233933}

Application‐Visibility  Application     facebook                01/17/2009

01:00:00  01/17/2009 02:00:00  220636588

{“util”:15168.45,”tx”:210304218,”rx”:10332370}

Application‐Visibility  Application     unknown                 01/17/2009

01:00:00  01/17/2009 02:00:00  113502079

{“util”:7803.10,”tx”:106412520,”rx”:7089559}

Application‐Visibility  Application     amazon_shop             01/17/2009

01:00:00  01/17/2009 02:00:00  106703142

{“util”:7335.69,”tx”:93322094,”rx”:13381048}

Application‐Visibility  Application     linkedin                01/17/2009

01:00:00  01/17/2009 02:00:00  58696435 

{“util”:4035.30,”tx”:55165018,”rx”:3531417}

Application‐Visibility  Application     youtube                 01/17/2009

01:00:00  01/17/2009 02:00:00  1454576  

{“util”:100.00,”tx”:1315107,”rx”:139469}

Application‐Visibility  Application     myspace                 01/17/2009

02:00:00  01/17/2009 03:00:00  781850640

{“util”:264335.11,”tx”:7508697893,”rx”:309808509}

Application‐Visibility  Application     amazon_cloud            01/17/2009

02:00:00  01/17/2009 03:00:00  112454581

{“util”:38019.66,”tx”:1078606475,”rx”:45939338}

Application‐Visibility  Application     facebook                01/17/2009

02:00:00  01/17/2009 03:00:00  472612999

{“util”:15978.53,”tx”:448955762,”rx”:23657237}

Application‐Visibility  Application     twitter                 01/17/2009

02:00:00  01/17/2009 03:00:00  442033093

{“util”:14944.65,”tx”:401239344,”rx”:40793749}

Application‐Visibility  Application     amazon_shop             01/17/2009

02:00:00  01/17/2009 03:00:00  229558452

{“util”:7761.12,”tx”:202329371,”rx”:27229081}

Application‐Visibility  Application     unknown                 01/17/2009

02:00:00  01/17/2009 03:00:00  215482783

{“util”:7285.24,”tx”:200402948,”rx”:15079835}

Application‐Visibility  Application     linkedin                01/17/2009

02:00:00  01/17/2009 03:00:00  125984872

{“util”:4259.41,”tx”:118235346,”rx”:7749526}

Application‐Visibility  Application     youtube                 01/17/2009

02:00:00  01/17/2009 03:00:00  2957801  

{“util”:100.00,”tx”:2659330,”rx”:298471}

Application‐Visibility  Application     myspace                 01/17/2009

03:00:00  01/17/2009 04:00:00  859492100

{“util”:269614.13,”tx”:8269499897,”rx”:325421104}

Application‐Visibility  Application     amazon_cloud            01/17/2009

03:00:00  01/17/2009 04:00:00  116518953

{“util”:36550.84,”tx”:1119128571,”rx”:46060960}

Application‐Visibility  Application     facebook                01/17/2009

03:00:00  01/17/2009 04:00:00  461844358

{“util”:14487.60,”tx”:440897736,”rx”:20946622}

Application‐Visibility  Application     twitter                 01/17/2009

03:00:00  01/17/2009 04:00:00  408573605

{“util”:12816.55,”tx”:369504893,”rx”:39068712}

Application‐Visibility  Application     unknown                 01/17/2009

03:00:00  01/17/2009 04:00:00  237048541

{“util”:7435.98,”tx”:221824322,”rx”:15224219}

Application‐Visibility  Application     amazon_shop             01/17/2009

03:00:00  01/17/2009 04:00:00  204090068

{“util”:6402.10,”tx”:178965615,”rx”:25124453}

Application‐Visibility  Application     linkedin                01/17/2009

03:00:00  01/17/2009 04:00:00  121917540

{“util”:3824.43,”tx”:114827231,”rx”:7090309}

Application‐Visibility  Application     youtube                 01/17/2009

03:00:00  01/17/2009 04:00:00  3187860  

{“util”:100.00,”tx”:2879796,”rx”:308064}

        Service Data Summary Trend(24 entries)

Additional capabilities in Application Visibility include the following:

  • Blocked traffic statistics
  • Support for wired clients using port profile
  • Bandwidth throttling
  • DSCP Markings
Blocked Statistics

The dashboard now provides detailed statistics on blocked traffic.

The BLOCKED APPLICATIONS section provides the following statistics:

  • Application Name: The application traffic set to be blocked.
  • # of Active Users: The number of users requesting access to the application.
  • # of Active APs: The APs that block the traffic.
  • # of ESSIDs / Port: The ESSID and Port profile connected to the wireless and wired clients.
  • Utilization: Shows how much traffic is blocked.
Support for Wired Clients

You can add port profiles to enable adding wired clients to detect, block, or bandwidth control traffic. The new policy page is updated to list port profiles created in the controller. A policy can be created with a mix of both ESSID and Port Profiles or only with ESS profiles or only with port profiles. The following is an example to create a policy and view policy details for wired ports via CLI. default(15)# configure terminal default(15)(config)# default(15)(config)# app‐visibility‐policy wiredPorts default(15)(config‐app‐visibility‐policy)#             default(15)(config‐app‐visibility‐policy)# port‐profiles wired‐profile default(15)(config‐app‐visibility‐policy)# state enable default(15)(config‐app‐visibility‐policy)# appids * default(15)(config‐app‐visibility‐policy)# advanced‐detection enable

You can use comma separated values to add multiple port profiles.

Example:  default(15)(config‐app‐visibility‐policy)# port‐profiles wiredprofile,default

View Policy Details

default(15)# sh application‐visibility policy wiredPorts

Application Visibility Policy Policy Name         : wiredPorts

Policy Order        : 2

Description         :

Policy              : enable

Advanced Detection  : enable

Bandwidth Limiting  : disable

Application ID List : *

ESSID List          :

AP Groups or APs    :

Owner               : controller Port Profile List   : wired‐profile default(15)#

Bandwidth Throttling

You can enforce bandwidth usage limits on selected applications.

  1. To enable bandwidth throttle, create a policy and select Enable option for Bandwidth Limits.
  2. Select ESSID or Port Profile.
  3. Specify maximum bandwidth limits for clients and SSID/Port.

Minimum        Maximum

Client                               150 kbps         1 Gbps

ESSID / Port Profile        150 kbps 12 Gbps Limitations:

  • Bandwidth throttle can be implemented on a maximum of 10 applications (individually or cumulatively across policies).
  • When enabled the bandwidth throttling policy is applicable to all APs. AP and AP group selection is not available.
  • The maximum bandwidth value configured for a client usage must be less than or equal to the value configured in ESSID or port traffic usage.
  • Supported only for client traffic with tunnelled profile.
DSCP Markings

You can now add a DSCP value to application traffic (upstream: AP to controller and downstream: AP to station) to change its priority. The DSCP value for the selected application is used to mark the detected application traffic (to wireless or wired STA).

When a DSCP value is applied to application traffic, this value and the associated priority is maintained till the next node in the traffic. If the traffic carrying the DSCP value encounters a QoS-aware switch, then the DSCP value may be overridden by a QoS value specified by the switch.

In a downstream traffic, the DSCP value is applied by the controller before forwarding to the AP. This is supported for ESSID’s in tunnelled mode only.

 NOTE: DSCP markings can be added to a maximum of 10 applications (includes all policies).

To assign DSCP value to application traffic, do the following:

  1. Go to Configuration > Access Control > Application > Policies tab.
  2. Click the Add button to add a new Policy.

In the new Policy enter the following details

  1. Name for the policy.
  2. Select Enable to activate the policy
  3. Select ESS profile
  4. Select AP or AP group
  5. Now click the add icon to view list of applications
  6. Selection applications to be marked with DSCP values
  7. For the listed application, you can specify individual DSCP values from the dropdown under DSCP Marking column.
Valid DSCP value strings
  • af11
  • af12 af13            af21            af22            af23            af31            af32            af33            af41            af42
  • af43
  • cs0     cs1             cs2             cs3             cs4             cs5             cs6
  • cs7
  • no
  • ef

For more details about DSCP values, see: https://tools.ietf.org/html/rfc4594

 

CLI Commands

To enable DSCP marking for downstream traffic, use the following command: default(15)(config)# app‐visibility‐config controller‐dscp‐marking‐state enable

The following command format configures DSCP marking and specifies bandwidth restrictions:

<app‐id>:A or B|C:<per‐client‐bw‐value>:<bw‐unit>|E:<per‐ess‐bw‐value>:<bwunit>|D:<dscp‐string>

  • Application Id – <app-id:>
  • Rule type (A- allow, B – block) – < A or B>
  • Per client bandwidth limit – C:<bw-value>:<bw-unit> [Supported units K, M, G]
  • Per ESSID bandwidth limit – E:<bw-value>:<bw-unit> [Supported units K, M, G]
  • DSCP value – D:<dscp-value-string> [Supported values]

Example:

2:A|C:150:K|E:1:M|D:af11

The above command will allow traffic for application with id 2, limit bandwidth for client and ESS profile accessing this application traffic to 150 kilobits and 1 Megabits respectively, and set the DSCP for upstream traffic to af11.

Best Practices

The following is a recommended best practice while create application visibility policies. While it is possible to create a single policy that can detect, block, or enforce bandwidth limits, it is recommended that you create individual policies that independently detect, block, or enforce bandwidth limits.

  • Policies are prioritized in the following order
  • Block
  • Bandwidth Throttling
  • Detect (General)

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.