Category Archives: FortiOS

Intrusion protection

Leave a reply

Intrusion protection

The FortiGate Intrusion Protection system combines signature detection and prevention with low latency and excellent reliability. With intrusion protection, you can create multiple IPS sensors, each containing a complete configuration based on signatures. Then, you can apply any IPS sensor to any security policy.

This section describes how to configure the FortiGate Intrusion Protection settings.

If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection is configured separately for each virtual domain.

 

The following topics are included:

  • IPS concepts
  • Enable IPS scanning
  • Configure IPS options
  • Enable IPS packet logging
  • IPS examples

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiClient Profiles

Leave a reply

FortiClient Profiles

This section describes the FortiClient Profiles endpoint protection features and configuration.

You must first enable this feature. Go to System > Feature Select and enable Endpoint Control.

This will reveal the Security Profiles > FortiClient Profiles menu item.

 

The following topics are included in this section:

  • Endpoint protection overview
  • Configuring endpoint protection
  • Configuring endpoint registration over a VPN
  • Modifying the endpoint protection replacement messages
  • Monitoring endpoints

 

Endpoint protection overview

Endpoint Protection enforces the use of up-to-date FortiClient Endpoint Security software on endpoints (workstation computers and mobile devices). It pushes a FortiClient profile to the FortiClient application, specifying security settings, including:

  • Real-time antivirus protection – on or off
  • FortiClient web category filtering based on web filters defined in a FortiGate Web Filter profile
  • FortiClient Application Control (application firewall) using application sensors defined in the FortiGate Application Control profile

 

The FortiClient profile can also:

  • Create VPN configurations
  • Install CA certificates
  • Upload logs to FortiAnalyzer or FortiManager
  • Enable use of FortiManager for client software/signature update
  • Enable a dashboard banner
  • Enable client-based logging while on-net
  • Output a mobile configuration profile (.mobileconfig file for iOS)

 

User experience

When using a web browser, the user of a non-compliant endpoint receives a replacement message HTML page from the FortiGate unit. The message explains that the user needs to install FortiClient Endpoint Security and provides a link to do so. The user cannot continue until the FortiClient software is installed.

For information about modifying the replacement page, see Modifying the endpoint protection replacement messages on page 2159.

 

Default FortiClient non-compliance message for Windows

endpoint-security-required

 

After installing FortiClient Endpoint Security, the user will receive an invitation to register with the FortiGate unit. If the user accepts the invitation, the FortiClient profile is sent to the device’s FortiClient application. Now the user is compliant and can connect to the network. FortiClient Endpoint Security registered with a FortiGate unit does not need to be separately licensed with FortiGuard.

The FortiGate unit can also register endpoints who connect over the Internet through a VPN. The user can accept an invitation to register with the FortiGate unit. See Endpoint protection overview on page 2151.

 

FortiGate endpoint registration limits

To view the number of endpoints that are registered and the total that can be registered, go to Dashboard. Under License Information, find FortiClient. You will see a line like “Clients Registered 4 of 10”. This means that there are four registered endpoints and a total of ten are allowed.

When the registration limit is reached, the next FortiClient-compatible device will not be able to register with the FortiGate unit. The user sees a message in FortiClient application about this. The FortiClient profile is not sent to client and the client cannot connect through the FortiGate unit.

For all FortiGate models, the maximum number of registered endpoints is ten. For all models except 20C, you can purchase an endpoint license to increase this capacity:

 

To add an endpoint license – web-based manager

1. Go to Dashboard.

2. In the License Information widget, under FortiClient, select Enter License, enter the license key, and select

OK.

 

Maximum registered endpoints with endpoint license

 

Model type Max Registered Endpoints
 

30 to 90 series

  

200
 

100 to 300 series

  

600
 

500 to 800 series, VM1, VM2

  

2 000
 

1000 series, VM4

  

8 000
 

3000 to 5000 series, VM8

  

20 000

 

 

Configuring endpoint protection

Endpoint Protection requires that all hosts connecting to an interface have the FortiClient Endpoint Security application installed. Make sure that all endpoints behind the interface are able to install this application. Currently, FortiClient Endpoint Security is available for Microsoft Windows (2000 and later), Apple (Mac OS X and later), and Android devices only.

 

By default, the FortiGuard service provides the FortiClient installer. If you prefer to host it on your own server, see Changing the FortiClient installer download location, below. To set up Endpoint Protection, complete the following:

  • Create a FortiClient Profile or use the default profile. See Creating a FortiClient profile on page 2153. Enable the application sensor and web category filtering profiles that you want to use.
  • Configure the FortiGate unit to support endpoint registration using FortiHeartBeat (under Network > Interfaces, allow FortiHeartBeat admission control).
  • Optionally, enforce FortiClient registration. See Enforcing FortiClient registration on page 2156.
  • Optionally, configure application sensors and web filter profiles as needed to monitor or block applications.
  • Optionally, modify the Endpoint NAC Download Portal replacement messages (one per platform). See Modifying the endpoint protection replacement messages on page 2159.

 

Creating a FortiClient profile

The default FortiClient profile has only AntiVirus, Web Filter, and VPN options enabled. You can modify this profile or create your own FortiClient profiles, including settings for iOS and Android devices.

It is possible for more than one profile to be assigned to a device type. As with security policies, clients are matched to FortiClient profiles in the order that the profiles appear in the list.

 

To create a FortiClient profile – web-based manager

1. If you will use the Application Firewall feature, go to Security Profiles > Application Control to create the Application Sensors that you will need.

2. If you will use Web Category Filtering, go to Security Profiles > Web Filter to create the Web Filter Profile that you will need.

3. Go to Security Profiles > FortiClient Profiles.

If there is only the default FortiClient profile, it will be displayed and ready to edit. At the top right of the page you can select or create other profiles.

4. Select Create New or select an existing profile and Edit it.

5. In Assign Profile To, select the device groups, user groups, and users to which this FortiClient profile applies.

This is not available for the default profile.

6. Configure the FortiClient Profile under the following tabs: Security, VPN, Advanced, and Mobile:

 

Security option                         Description
 

AntiVirus
Realtime Protection       Enable to configure AV options, including Scan File Downloads, Block malicious websites, and Block attack channels.
Scheduled Scan             Enable to configure the following:

Type: Select from Quick, Full, or Custom.

Schedule: Select from Daily, Weekly, or Monthly.

Time: Select when the scan should take place.
Excluded Paths              Enable to add paths you wish to be excluded from AV scanning.
Web Filter
Profile                               Select which Web Filter Profile you wish to use.
Client Side when On-     Select to enable client side web filtering when the device is On-Net.

Net
Application Firewall
Application Control        Select which Application Control Sensor you wish to use.

list
Monitor unknown            Enable to monitor any applications that do not fall into any Application

applications                     Control categories.

VPN option                              Description

VPN

Client

VPN Provisioning

Enable to configure the FortiClient VPN client, and enter the VPN con- figuration details.

VPN option                              Description

Allow user defined VPN

Enable to accept VPN tunnels for specific users.

VPN before Windows logon

Enable to establish the VPN connection before logging in to Windows.

 

Advanced option                       Description
 

Install CA Certificates    Enable to force the FortiClient endpoint to download CA Certificates from the FortiGate.
Disable Unregister          Enable to prevent managed endpoints from unregistering.

Option
Upload Logs to                Enable to determine where FortiClient will upload its logs. Same as Sys-

FortiAnalyzer                   tem will send the logs as configured via Log & Report > Log Settings.

Select Specify to upload them elsewhere.
FortiManager updates    Enable to download client signature updates from FortiManager from spe- cified IP addresses. Also, you can Failover to FDN when FortiManager

is not available.
Dashboard Banner          Enable to display the dashboard banner.
Client-based Logging     Enable to always save logs on the client. Logs can be viewed with the

when On-Net                    FortiClient Console.
Single Sign-on Mobil-    Enable to configure a specific server with a pre-shared key for SSO.

ity Agent

 

Mobile option                          Description
 

iOS
Web Filter                         Select which Web Filter Profile you wish to use, and select Client Side when On-Net to enable client side web filtering when the iOS device is On-Net.
Client                                 Enable to configure the FortiClient VPN client, and enter the VPN con-

VPN Provisioning             figuration details.
Distribute Con-                 Enable to select and upload a ‘.mobileconfig’ file that will be distributed to

figuration Profile              iOS devices.
Android

Mobile option                          Description

Web Filter                         Select which Web Filter Profile you wish to use, and select Client Side when On-Net to enable client side web filtering when the Android device is On-Net.

ClienVPN Provisioning

Enable to configure the FortiClient VPN client, and enter the VPN con- figuration details.

7. Select Apply.

 

To create a FortiClient profile – CLI:

This example creates a profile for Windows and Mac computers.

config endpoint-control profile edit ep-profile1

set device-groups mac windows-pc config forticlient-winmac-settings

set forticlient-av enable set forticlient-wf enable

set forticlient-wf-profile default end

end

 

To install CA certificates – CLI:

config endpoint-control profile edit <profile>

config forticlient-winmac-settings

set install-ca-certificate [enable | disable]

end next

end

 

Enforcing FortiClient registration

When you enable FortiHeartBeat on an interface, the option to enforce FortiClient registration becomes available. Devices connecting to that interface are forced to register to the FortiGate and install FortiClient before gaining access to network services.

The following example includes editing the default FortiClient Profile to enforce realtime antivirus protection and malicious website blocking.

 

To enforce FortiClient registration on the internal interface – web-based manager:

1. On the FortiGate, go to System > Feature Select and make sure that Endpoint Control is enabled.

2. Go to Network > Interfaces and edit the internal interface.

3. Under Restrict Access, enable FortiHeartBeat.

4. Under Admission Control, enable Enforce FortiHeartBeat for all FortiClients.

Optionally, you can also Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.

5. Go to Security Profiles > FortiClient Profiles.

6. Under the Security tab, enable Realtime Protection, Scan File Downloads, Block malicious websites, and Block attack channels.

 

Changing the FortiClient installer download location

By default, FortiClient installers are downloaded from the FortiGuard network. You can also host these installers on a server for your users to download. In that case, you must configure FortiOS with this custom download location. For example, to set the download location to a customer web server with address custom.example.com, enter the following command:

config endpoint-control settings set download-location custom

set download-custom-link “http://custom.example.com” end

 

Storing FortiClient configuration files

Advanced FortiClient configuration files of up to 32k may be stored:

1. Enable the advanced FortiClient configuration option in the endpoint profile:

config endpoint-control profile edit “default”

set forticlient-config-deployment enable set fct-advanced-cfg enable

set fct-advanced-cfg-buffer “hello” set forticlient-license-timeout 1 set netscan-discover-hosts enable

next end

2. Export the configuration from FortiClient (xml format).

3. Copy the contents of the configuration file and paste in the advanced FortiClient configuration box.

 

If the configure file is greater than 32k, you need to use the following CLI:

config endpoint-control profile edit <profile>

config forticlient-winmac-settings config extra-buffer-entries

edit <entry_id>

set buffer xxxxxx next

end end

next end

 

Configuring endpoint registration over a VPN

FortiGate units can register FortiClient-equipped endpoints over either an interface-based IPsec VPN or a tunnel- mode SSL VPN. After the user authenticates, the FortiGate unit sends the FortiClient application the IP address and port to be used for registration. If the user accepts the FortiGate invitation to register, registration proceeds and the FortiClient profile is downloaded to the client.

Users without FortiClient Endpoint Security connecting to the SSL VPN through a browser are redirected to a captive portal to download and install the FortiClient software.

 

Endpoint registration on an IPsec VPN

You can enable endpoint registration when you configure the FortiClient VPN or you can enable it on an existing FortiClient VPN.

 

To enable endpoint registration while configuring the VPN

  • l  Enable Allow Endpoint Registration on the Policy & Routing page of the VPN Wizard when creating the FortiClient VPN.

This is only available when Template Type is set to Remote Access with a FortiCli- ent Remote Device Type.

 

To enable endpoint registration on an existing VPN

1. Go to Network > Interfaces and edit the VPN’s tunnel interface.

The tunnel is a virtual interface under the physical network interface.

2. In Admission Control, enable FortiHeartBeat.

Optionally, you can also enable Enforce FortiHeartBeat for all FortiClients. This forces endpoints to register with FortiClient before they have network access.

3. Select OK.

 

Endpoint registration on an SSL VPN

To enable endpoint registration on the SSL VPN

1. Go to VPN > SSL-VPN Settings.

2. In Tunnel Mode Client Settings, make sure Allow Endpoint Registration is enabled.

3. Select Apply.

4. Go to Network > Interfaces and edit the ssroot interface.

5. In Admission Control, enable FortiHeartBeat.

Optionally, you can also enable Enforce FortiHeartBeat for all FortiClients. This forces endpoints to register with FortiClient before they have network access.

6. Select OK.

This procedure does not include all settings needed to configure a working SSL VPN.

 

Synchronizing endpoint registrations

To support roaming users in a network with multiple FortiGate units, you need to configure synchronization of the endpoint registration databases between the units. The registered endpoints are then recognized on all of the FortiGate units. This is configured in the CLI. For example, to synchronize this FortiGate unit’s registered endpoint database with another unit named other1 at IP address 172.20.120.4, enter:

config endpoint-control forticlient-registration-sync edit other1

set peer-ip 172.20.120.4 end

 

Modifying the endpoint protection replacement messages

If the security policy has Redirect all non-compliant/unregistered FortiClient compatible devices to a captive portal enabled, users of non-compliant devices are redirected to a captive portal that is defined by the Endpoint NAC Download Portal replacement message. There are different portals for Android, iOS, Mac, Windows, Quarantine, and “other” devices.

 

To modify the the endpoint protection replacement messages

1. Go to System > Replacement Messages and select Extended View.

2. In the Endpoint Control section select the message that you want to edit.

The replacement message and its HTML code appear in a split screen in the lower half of the page.

3. Modify the text as needed and select Save.

 

Monitoring endpoints

Go to Monitor > FortiClient Monitor to monitor endpoints.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Application control examples

Leave a reply

Application control examples

To help give a better understanding of how to implement Application Control and to give some ideas as to why it would be used, a number of examples of scenarios are included.

 

Blocking all instant messaging

Instant messaging use is not permitted at the Example Corporation. Application control helps enforce this policy. First you will create an application sensor with a single entry that includes all instant messaging applications. You will set the list action to block.

 

To create the application sensor

1. Go to Security Profiles > Application Control.

2. Select the Create New icon in the title bar of the Edit Application Sensor window.

3. In the Name field, enter no_IM for the application sensor name.

4. Left-click on the IM category.

5. From the dropdown select Block.

6. Select OK to save the new sensor. Next you will assign the sensor to a policy.

 

To enable application control and select the application sensor

1. Go to Policy & Objects > IPv4 Policy.

2. Select the security policy that allows the network users to access the Internet and choose Edit.

3. Under the heading Security Profiles toggle the button next to Application Control to turn it on.

4. In the drop down menu field next to the Application Control select the no_IM application sensor.

5. Select OK.

No IM use will be allowed by the security policy. If other firewall policies handle traffic that users could use for IM, enable application control with the no IM application sensor for those as well.

 

Allowing only software updates

Some departments at Example Corporation do not require access to the Internet to perform their duties. Management therefore decided to block their Internet access. Software updates quickly became an issue because automatic updates will not function without Internet access and manual application of updates is time- consuming.

The solution is configuring application control to allow only automatic software updates to access the Internet.

 

To create an application sensor — web-based manager

1. Go to Security Profiles > Application Control.

2. Select the Create New icon in the title bar of the Edit Application Sensor window.

3. In the Name field, enter Updates_Only as the application sensor name.

4. Using the left-click and drop down on the items in the Category lis..

a. Select Monitor from the dropdown menu.

b. Select Block for the rest of the categories.

5. Select OK.

 

To create an application sensor — CLI

config application list edit Updates_Only

config entries edit 1

set category 17 set action pass

end

set other-application-action block set unknown-application-action block

end

 

You will notice that there are some differences in the naming convention between the Web Based Interface and the CLI. For instance the Action in the CLI is “pass” and the Action in the Web Based Manager is “Monitor.

 

Selecting the application sensor in a security policy

An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

 

To select the application sensor in a security policy — web-based manager

1. Go to Policy & Objects > IPv4 Policy.

2. Select a policy.

3. Select the Edit icon.

4. Under the heading Security Profiles toggle the button next to Application Control to turn it on.

5. In the drop down menu field next to the Application Control select the Updates_only list.

6. Select OK.

 

To select the application sensor in a security policy — CLI

config firewall policy edit 1

set utm-status enable

set profile-protocol-options default set application-list Updates_Only

end

Traffic handled by the security policy you modified will be scanned for application traffic. Software updates are permitted and all other application traffic is blocked.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Working with other FortiOS components

Leave a reply

Working with other FortiOS components

Application Control is not just a modulal that is inserted in to the OS and works independantly of all of the other components.

 

WAN Optimization

There is a feature that enables both IPS and Application Control on both non-HTTP WANOpt traffic and HTTP- tunneled traffic through HTTP CONNECT. The basic idea is that it hooks a scan connection to a port so that traffic will be redirected to the IPS engine before forwarding to a different module.

 

Application control monitor

The application monitor enables you to gain an insight into the applications generating traffic on your network. When monitor is enabled in an application sensor entry and the list is selected in a security policy, all the detected traffic required to populate the selected charts is logged to the SQL database on the FortiGate unit hard drive.

The charts are available for display in the executive summary section of the log and report menu.

Because the application monitor relies on a SQL database, the feature is available only on FortiGate units with an internal hard drive.

While the monitor charts are similar to the top application usage dashboard widget, it offers several advantages. The widget data is stored in memory so when you restart the FortiGate unit, the data is cleared. Application monitor data is stored on the hard drive and restarting the system does not affect old monitor data.

Application monitor allows you to choose to compile data for any or all of three charts: top ten applications by bandwidth use, top ten media users by bandwidth, and top ten P2P users by bandwidth. Further, there is a chart of each type for the traffic handled by each security policy with application monitor enabled. The top application usage dashboard widget shows only the bandwidth used by the top applications since the last system restart.

 

Enable application control

Application control examines your network traffic for traffic generated by the applications you want it to control.

 

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Create an application sensor.

2. Configure the sensor to include the signatures for the application traffic you want the FortiGate unit to detect.

3. Enable any other applicable options.

4. Enable application control in a security policy and select the application sensor.

 

Creating an application sensor

You need to create an application sensor before you can enable application control.

 

To create an application sensor

1. Go to Security Profiles > Application Control.

2. Select the Create New icon in the title bar of the Edit Application Sensor window.

3. In the Name field, enter the name of the new application sensor.

4. Optionally, you may also enter a comment.

 

Adding applications to an application sensor

Once you have created an application sensor, you need to need to define the applications that you want to control. You can add applications and filters using categories, application overrides, and/or filter overrides. Categories will allow you to choose groups of signatures based on a category type. Application overrides allow you to choose individual applications. Filter overrides allow you to select groups of applications and override the application signature settings for them.

 

To add a category of signatures to the sensor.

1. Go to Security Profiles > Application Control.

2. Under Categories, you may select from the following:

  • Botnet
  • Business
  • Cloud.IT
  • Collaboration
  • Email
  • Game
  • General.Interest
  • Mobile
  • Network.Service
  • P2P
  • Proxy
  • Remote.Access
  • Social.Media
  • Storage.Backup
  • Update
  • Video/Audio
  • VoIP
  • Web.Clients
  • Unknown Applications

 

When selecting the category that you intend to work with, left click on the icon next to the category name to produce a drop down menu that includes:

  • Allow
  • Monitor
  • Block
  • Quarantine
  • View Signatures

3. If you wish to add individual applications, select Add Signatures under Application Overrides.

a. Use the Add Filter search field to narrow down the list of possible signatures by a series of attributes.

b. When finished, select Use Selected Signatures.

4. If you wish to add advanced filters, select Add Filter under Filter Overrides.

a. Use the Add Filter search field to narrow down the list of possible filters by a series of attributes.

b. When finished, select Use Filters.

4. Select, if applicable, from the following options:

  • Allow and Log DNS Traffic
  • Replacement Messages for HTTP-based Applications

6. Select OK.

There is a disabled category called Industrial. This category is disabled by default, however it can be applied through use of the CLI command below. Note that none will mean no signatures are excluded, and that industrial will exclude all industrial signatures.

 

CLI Syntax

config ips global

set exclude-signatures [none | industrial]

end

 

Creating a New Custom Application Signature

If you have to deal with an application that is not already in the Application List you have the option to create a new one.

1. Go to Security Profiles > Application Control.

2. Select the link in the upper right corner, [View Application Signatures]

3. Select the Create New icon

4. Give the new signature a name (no spaces) in the Name field.

5. Enter a brief description in the Comments field

6. Enter the text for the signature in the signature field. Use the rules found in the Custom IPS signature chapter to determine syntax.

7. Select OK.

 

You can configure rate based application control signatures in the CLI Console using similar IPS signature rate CLI commands.

For more information on this and the CLI syntax, see IPS signature rate count threshold on page 2169

 

Messages in response to blocked applications

Once an Application Control sensor has been configured to block a specified application and applied to a policy it would seem inevitable that at some point an application will end up getting blocked, even if it is only to test the functionality of the control. When this happens, the sensor can be set to either display a message to offending user or to just block without any notification. The default setting is to display a message. Setting this up is done in the CLI.

config application list

edit <name of the sensor>

set app-replacemsg {enable | disable}

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Application considerations

Leave a reply

Application considerations

Some applications behave differently from most others. You should be aware of these differences before using application control to regulate their use.

 

IM applications

The Application Control function for a number of IM application is not in the Web Based Manager, in the CLI of the FortiGate unit. These applications are:

  • AIM
  • ICQ
  • MSN
  • Yahoo

These applications are controlled by either permitting or denying the users from logging in to the service. Individual IM accounts are configured as to whether or not they are permitted and then there is a global policy for how to action unknown users, by the application, and whether to add the user to the black list or the white list.

The configuration details for these settings can be found in the CLI Reference guide under the heading of imp2p.

 

Skype

Based on the NAT firewall type, Skype takes advantage of several NAT firewall traversal methods, such as STUN (Simple Traversal of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT), to make the connection.

The Skype client may try to log in with either UDP or TCP, on different ports, especially well-known service ports, such as HTTP (80) and HTTPS (443), because these ports are normally allowed in firewall settings. A client who has previously logged in successfully could start with the known good approach, then fall back on another approach if the known one fails.

The Skype client could also employ Connection Relay. This means if a reachable host is already connected to the Skype network, other clients can connect through this host. This makes any connected host not only a client but also a relay server.

 

SPDY

SPDY (pronounced speedy, it’s a trademarked name not an acronym) is a networking protocol developed to increase the speed and security of HTML traffic. It was developed primarily by Google. The Application Control engine recognises this protocol and its required SSL/TLS component within Application Control sensors. It is counted as part of application traffic for Google and other sources that use the protocol.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Application Control Actions

Leave a reply

Application Control Actions

 

Allow

This action allows the targeted traffic to continue on through the FortiGate unit.

 

Monitor

This action allows the targeted traffic to continue on through the FortiGate unit but logs the traffic for analysis.

 

Block

This action prevents all traffic from reaching the application and logs all occurrences.

 

Reset

This action resets the session or connection between the FortiGate and the initiating node.

 

Traffic Shaping

This action presents a number of default traffic shaping options:

  • guarantee-100kbps
  • high-priority
  • low-priority
  • medium-priority
  • shared-1M-pipe

 

View Signatures

This option brings up a window that displays a list of the signatures with the following columns:

  • Application Name
  • Category
  • Technology – Technology is broken down into 3 technology models as well as the more basic Network-Protocol which would can be used as a catch all for anything not covered by the more narrowly defined technologies of:
  • Browser-Based
  • Client-Server
  • Peer -to-Peer
  • Popularity – Popularity is broken down into 5 levels of popularity represented by stars. 5 stars representing the most popular applications and 1 star representing applications that are the least popular.
  • Risk – The Risk property does not indicate the level of risk but the type of impact that is likely to occur by allowing the traffic from that application to occur. The Risk list is broken down into the following

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Application control concepts

Leave a reply

Application control concepts

You can control network traffic generally by the source or destination address, or by the port, the quantity or similar attributes of the traffic itself in the security policy. If you want to control the flow of traffic from a specific application, these methods may not be sufficient to precisely define the traffic. To address this problem, the application control feature examines the traffic itself for signatures unique to the application generating it. Application control does not require knowledge of any server addresses or ports. The FortiGate unit includes signatures for over 1000 applications, services, and protocols.

Updated and new application signatures are delivered to your FortiGate unit as part of your FortiGuard Application Control Service subscription. Fortinet is constantly increasing the number of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.

To view the version of the application control database installed on your FortiGate unit, go to the LicensInformation dashboard widget and find the IPS Definitions version.

To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard Application Control List. This web page lists all of the supported applications. You can select any application name to see details about the application.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Application Control

Leave a reply

Application Control

Using the Application Control Security Profile feature, your FortiGate unit can detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non- standard ports or protocols.

The FortiGate unit can recognize the network traffic generated by a large number of applications. You can create application control sensors that specify the action to take with the traffic of the applications you need to manage and the network on which they are active, and then add application control sensors to the firewall policies that control the network traffic you need to monitor.

Fortinet is constantly increasing the list of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.

You can find the version of the application control database that is installed on your unit, by going to the LicensInformation dashboard widget and find IPS Definitions version.

You can go to the FortiGuard Application Control List to see the complete list of applications supported by FortiGuard. This web page lists all of the supported applications. You can select any application name to see details about the application.

If you enable virtual domains (VDOMs) on the Fortinet unit, you need to configure application control separately for each virtual domain.

 

The following topics are included in this section:

  • Application control concepts
  • Application considerations
  • Application traffic shaping
  • Application control monitor
  • Enable application control
  • Application control examples

To view the version of the application control database installed on your FortiGate unit, go to the LicensInformation dashboard widget and find the IPS Definitions version.

To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard Application Control List. This web page lists all of the supported applications. You can select any application name to see details about the application.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!