Application Control
Module Objectives By the end of this module participants will be able to: Define application control lists Define firewall policies using application control lists
Application Control Click here to read more about FortiGate application control Gmail Generating application: Gmail Category: web-mail Application: Gmail Action: Block Application Control List
Application Control Click here to read more about FortiGate application control Gmail Generating application: Gmail Category: web-mail Application: Gmail Action: Block Application Control List Application control is used to detect and take actions on network traffic based on the application generating the traffic Facebook, Skype, Gmail etc. Can detect application traffic even if contained within other protocols Supports nearly 1500 applications in 19 categories DiffServ per Application Filter Supports shared and per-IP traffic shaping for Application Control
Application Control List CategoriesApplicationsAction Block Monitor Traffic Shaping Session TTL Packet log Reset
Application Control List CategoriesApplicationsAction Block Monitor Traffic Shaping Session TTL Packet log Reset The application control list defines the applications that will be subject to inspection For each application, the administrator can specify whether to pass or block the application traffic in addition to other settings
Adding to the List Requests for additional or revised application control coverage can be submitted using FortiClient or by accessing: applicationcontrol/appform.html
Application Control Profile Application control profile: Sample_App_Control Firewall policy
Application Control Profile Application control profile: Sample_App_Control Firewall policy Application control options are enabled through application control sensors Sensor in turn applied to firewall policy Any traffic being examined by the policy will have the application control operations applied to it
Example: Facebook Application Control
Application “Facebook.app_ID” allows specific Facebook app rule Each Facebook app assigned unique name & ID name/ For new Facebook apps not yet in application list: F-SBID( --name "Facebook.App.XXX"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern " /app_name/"; --no_case; --context uri; --within xx,context; -- pattern "apps.facebook.com"; --no_case; --context host; )
Application Control - Troubleshooting Useful diag commands: 1.Print IPS filter for specific IP: diag ips filter ip 2.Print all sessions in the IPS engine (Client and Server IPs): diag ips session list 3.Print the black-listed IP addresses diag ips share list 4.Print app-list ID, action, shapers diag firewall iprope appctrl list
Labs Lab - Application Control Creating an Application Control List Testing Application Control Click here for step-by-step instructions on completing this lab
Student Resources Click hereClick here to view the list of resources used in this module