FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

Home > Online Help

> Chapter 21 - Security Profiles > Application control > Application control examples > Allowing only software updates

Allowing only software updates

Some departments at Example Corporation do not require access to the Internet to perform their duties. Management therefore decided to block their Internet access. Software updates quickly became an issue because automatic updates will not function without Internet access and manual application of updates is time-consuming.

The solution is configuring application control to allow only automatic software updates to access the Internet.

To create an application sensor — web-based manager
  1. Go to Security Profiles > Application Control.
  2. Select the Create New icon in the title bar of the Edit Application Sensor window.
  3. In the Name field, enter Updates_Only as the application sensor name.
  4. Using the left-click and drop down on the items in the Category list...
  1. Select Monitor from the dropdown menu.
  2. Select Block for the rest of the categories.
  1. Select OK.
To create an application sensor — CLI

config application list

edit Updates_Only

config entries

edit 1

set category 17

set action pass

end

set other-application-action block

set unknown-application-action block

end

You will notice that there are some differences in the naming convention between the Web Based Interface and the CLI. For instance the Action in the CLI is “pass” and the Action in the Web Based Manager is “Monitor”.

Selecting the application sensor in a security policy

An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the application sensor in a security policy — web-based manager
  1. Go to Policy & Objects > Policy > IPv4.
  2. Select a policy.
  3. Select the Edit icon.
  4. Under the heading Security Profiles toggle the button next to Application Control to turn it on.
  5. In the drop down menu field next to the Application Control select the Updates_only list.
  6. Select OK.
To select the application sensor in a security policy — CLI

config firewall policy

edit 1

set utm-status enable

set profile-protocol-options default

set application-list Updates_Only

end

Traffic handled by the security policy you modified will be scanned for application traffic. Software updates are permitted and all other application traffic is blocked.

 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy