Enable application control
Application control examines your network traffic for traffic generated by the applications you want it to control.
General configuration steps
Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.
- Create an application sensor.
- Configure the sensor to include the signatures for the application traffic you want the FortiGate unit to detect.
- Enable any other applicable options.
- Enable application control in a security policy and select the application sensor.
Creating an application sensor
You need to create an application sensor before you can enable application control.
To create an application sensor
- Go to Security Profiles > Application Control.
- Select the Create New icon in the title bar of the Edit Application Sensor window.
- In the Name field, enter the name of the new application sensor.
- Optionally, you may also enter a comment.
Adding applications to an application sensor
Once you have created an application sensor, you need to need to define the applications that you want to control. You can add applications using categories and/or application overrides. Categories will allow you to choose groups of signatures based on a category type. Application overrides allow you to choose individual applications.
To add a category of signatures to the sensor.
- Go to Security Profiles > Application Control.
- In the Category section, you can select 0 or more of the following categories.
- Botnet
- Business
- Cloud.IT
- Collaboration
- Game
- General.Interest
- IM
- Network.Service
- P2P
- Proxy
- Remote.Access
- Social.Media
- Storage.Backup
- Update
- Video/Audio
- VoIP
- Industrial
- Web.Others
- All Other Known Applications
- All Other Unknown Applications
When selecting the category that you intend to work with, left click on the category name to produce a drop down menu that includes: - Allow
- Monitor
- Block
- Reset
- Traffic Shaping
- View Signatures
- If you wish to add individual applications, use the Application Overrides widget.
- Select the Add Signatures icon
- Use the Search field to narrow down the list of possible signatures.
- Select the Use Selected Signatures.
- Select, if applicable from the following options:
- Deep Inspection of Cloud Applications
- Allow and Log DNS Traffic
- Replacement Messages for HTTP-based Applications
- Select Apply
Creating a New Custom Application Signature
If you have to deal with an application that is not already in the Application List you have the option to create a new one.
- Go to Security Profiles > Application Control.
- Select the link in the upper right corner, [View Application Signatures]
- Select the Create New icon
- Give the new signature a name (no spaces) in the Name field.
- Enter a brief description in the Comments field
- Enter the text for the signature in the signature field. Use the rules found in the Custom IPS signature chapter to determine syntax.
- Select OK.
Enabling application traffic shaping
Enabling traffic shaping in an application sensor involves selecting the required shaper. You can create or edit shapers in Policy & Objects > Objects > Traffic Shapers.
To enable traffic shaping
- Go to Security Profiles > Application Control.
- Select application signature(s) or category(s) from the Application Control sensor.
- If a category is selected, left click on the category. Select Traffic Shaping. Select the desired Traffic Shaper.
- Select Apply.
Any security policy with this application sensor selected will shape application traffic according to the applications specified in the list entry and the shaper configuration.
Messages in response to blocked applications
Once an Application Control sensor has been configured to block a specified application and applied to a policy it would seem inevitable that at some point an application will end up getting blocked, even if it is only to test the functionality of the control. When this happens, the sensor can be set to either display a message to offending user or to just block without any notification. The default setting is to display a message. Setting this up is done in the CLI.
config application list
edit <name of the sensor>
set app-replacemsg {enable | disable}
end