✓ Why Application Control?
User trends is moving to application (user traffic is going to application).
Examples: WhatsApp, Facebook, YouTube.
The application has a lot of features that is need to control by allowing one and
blocking others.
Example: Facebook has {chat, videos, games, ...}.
✓ How it is work?
FortiGate can recognize network traffic generated by a large number of applications.
Application control sensors (Profile) specify what action to take with the filtered
applications traffic.
Application control uses IPS protocol decoders that can analyze network traffic to
detect application traffic, even if the traffic uses non-standard ports or protocols.
Application control doesn’t operate using built-in protocol states. It matches patterns
in the entire byte stream of the packet, and then looks for patterns in Application
Signature Database.
Because Application control uses the IPS engine, which uses flow-based inspection,
Application Control inspection is always flow-based.
Application Signatures, IPS Engines and IPS protocol decoders are upgraded
automatically through the FortiGuard Distribution Network (FDN) if existing decoders
are modified or new decoders added.
Application control requires a subscription to FortiGuard application control.
The database for application control signatures is separate from the intrusion
prevention system (IPS) database.
✓ Application Control Hierarchical Structure.
Application control signature database is organized in a hierarchical structure.
This allows you to inspect traffic in a more granular fashion.
You can block the Facebook app while allowing users to collaborate using Facebook
Chat.
The parent signature takes precedence over the child signature.
✓ Application Control profiles consist of three different types of filters.
1- Category:
Groups applications based on similarity.
For example, all applications capable of providing remote access are grouped in
the Remote Access category.
You can view the signatures of all apps in a category, and you can apply an
action to a category as a whole.
2- Application Overrides:
Provides flexibility to control specific signatures and applications.
3- Filter Override:
Useful when the predefined categories do not meet your requirements and you
want to block all applications based on conditions not available in the category.
You can configure and take action on the classification of applications based on
their behavior, popularity, protocol, risk, vendor, or technology used by the
application.
✓ Configuring Additional Options
1- Block applications detected on non-default ports (Port enforcement check).
For monitor and allow actions, application will be blocked if detected on non-
default ports (as defined in FG Application signature).
2- Allow and Log DNS traffic
Clients do many DNS requests just for one application to load, logging all these DNS
requests across hundreds or thousands of clients will add more load to the FortiGate
as it will use a lot of system resources.
It should be enabled during an investigation Only.
3- Replace messages for HTTP-based applications
This setting allows you to replace blocked content from HTTP/HTTPS applications
with default/custom message.
For non-HTTP/HTTPS applications, FortiGate only drops packets or resets TCP
connections.
This option allows you to provide an explanation for blocked content for the users.
4- Network Protocol enforcement:
Protocol enforcement is added to application control profile to configure network
services (such as FTP, HTTP, and HTTPS) on known ports (such as 21, 80, and 443)
while blocking those services on other ports.
This feature can be used in the following scenarios:
• When one protocol dissector/decoder confirms the service of network traffic,
protocol enforcement can check whether the confirmed service is allowlisted
under the server port.
If it is not Allowlisted, the traffic is considered a violation and IPS can take the
action specified in the configuration (block or monitor it).
• When there is no confirmed service for the network traffic.
If IPS dissectors/decoder exclude all services enforced under their server ports, it
will be considered a service violation.
For example, if port 21 is configured for FTP, the IPS profiler cannot determine the
exact service, but determines that it is not FTP. It would be a violation if the port
for non-ftp traffic was 21.
5- Blocking QUIC
QUIC is a protocol from Google that uses UDP instead of standard TCP connections
for web access.
Web filtering does not scan the UDP protocol.
Blocking QUIC forces Google Chrome to use HTTP2/TLS1.2 and harden logs that
QUIC is blocked. The default operation of QUIC is Block.
Blocking QUIC by default in the application control profile is no longer necessary
since HTTP3 over QUIC is fully supported by FortiOS.
✓ Scanning Order
A- The IPS engine using protocol decoder detects the presence of a matching
application signature in the traffic stream.
B- FortiGate then scans packets for matching application control profiles in the
following order:
1- Application & Filter Overrides:
If you have configured any Application Overrides or Filter Overrides, the
Application Control Profile considers them first. It looks for matching overrides.
2- Category:
Finally, the application control profile applies the actions you configure for the
application.
✓ Application Control Actions:
1- Allow:
Allow traffic to pass, continue to next scan, and do not log.
2- Monitor: Allow but Log
Allow traffic to pass, continue to next scan and generate log information at the
same time
3- Block: Drop packets and Log
Discard detected traffic and record logs
4- Quarantine: Block and Log (for a period of time)
Block traffic from the attacker IP until the expiration time is reached (Quarantine
Duration), and generate a log message.
✓ The View Signatures VS View Cloud Signatures
View Signatures:
View application control signatures that are created by Fortinet based on data from
the FortiGuard Labs Threat Research Team.
Applications with cloud behavior are applications that are designed to be used in the
cloud. They are typically designed to be scalable, resilient, and secure.
View Cloud Signatures:
View cloud signatures that are created by Fortinet based on data from the cloud.
This data includes information about popular cloud applications, as well as malicious
traffic that is being used to attack those applications.
This data includes information about popular cloud applications, as well as malicious
traffic that is being used to attack those applications.
Cloud signatures are updated more frequently than FortiGate application control
signatures.
All cloud applications require SSL Inspection set to deep-inspection.
* Logging must be enabled on a firewall policy {All or UTM}. (1)
UTM logging: logs all traffic that is inspected by the UTM security Profiles {Antivirus, Web
filtering, Application control, Ips, ......}
All logging: logs all traffic that passes through the firewall.
* Application Control must be applied to a firewall policy to enable application
control event logging. (2)
* FortiGate logs all application control events in the Security Events pane of the Logs
& Reports page.
* Forwarded traffic log pane, will give you more details about application control
traffic logs.
* On dashboard menu, FortiView Applications pane, will give detailed information
about each application, such as application name, category, and bandwidth.
✓ Application control best practices
1- Not all traffic requires application control scanning, be as specific as possible when
creating firewall policies, apply application control to only the traffic that required.
• Specify source and destination within the firewall policy as much as possible.
• Do not apply application control to internal-to-internal traffic.
{This will minimize resource usage on FortiGate, and also helps you build more
secure firewall configurations.}
2- For the SSL/SSH detection method, select Deep-Inspection instead of Certificate-
based to ensure content detection for encrypted protocols.
3- Use FortiCloud account to save and view application control event log (free 7 days
log storage), especially for FortiGate devices that doesn’t have an internal disk for
logging.
