FortiWLC – Application Visibility (DPI)

Application Visibility (DPI)

You can monitor and/or block specific application traffic in your network. FortiWLC (SD) can monitor and restrict access applications/services, as listed in the Configuration > Access Control > Application

Limitations and Recommendations

To export DPI status to an FortiWLM server, the export destination port must be set to 4739.
If the total number of ESS profiles and the total number APs in the controller are the maximum allowed, then a policy cannot be created. When configuring each policy:
The total number of ESS that can be applied to is 64. Tip: To support this maximum, ensure that an ESS name is 15 characters or less.
The total number APs that can be applied are 186. To support this maximum, the AP IDs need to between the 1 to 500 AP ID range. Tip: to maximize the coverage of APs, you can create AP groups and use this instead of listing individual APs.
Bittorent downloads can be monitored but cannot be blocked.
In a custom app, Bittorent traffic cannot be monitored or blocked.
Advanced detection of sub-protocol traffic is a resource intensive task, so we recommend that you use it in moderation.
It is recommended that you do not delete custom application (under the Settings > Custom Application tab in Application). Deleting a custom application can result in incorrect status display of top 10 applications in the dashboard.
A custom application is by default monitored even if it is not mapped to a policy. But for it to be blocked, it must be added to a policy
Setting up application monitoring or blocking requires you to enable DPI and creating appropriate policies.

To set up and use the application monitoring:

Enable Application Visibility
Create Policies
Associate system defined and/or custom applications to policies

Enable Application Visibility

To enable DPI, go to Configuration > Applications > Settings tab

Select ON for Enable Application Classification. This is a global settings and enables DPI on all APs.
Export Interval is a non-configurable field that set at 90 seconds.
Export Destination: Specify or edit (if automatically pushed by Network Manager) the IP address of the correct Network Manager server. This is used to export stats to Network Manager server
To export values to Fortinet Network Manager, select Enable Netflow Export and specify the Fortinet Network Manger server IP (Export Destination).

Creating a Policy

You can create policies to monitor and block one or more application traffic. This can be done for one of the following condition:

All ESS profiles
Per ESS profile
All APs
Per AP
Per AP Group
ESS and AP Combination

Example

The following screen-shots illustrate the procedure to create a policy to block Yelp traffic by clients that are connected to sdpi-832-t ESS profile via AP-3.

Click the ADD button to view application lists
Select the application from the list and click ADD button
Select Block from the dropdown list and click SAVE button

List of policies

Policy: The status of the policy
Advanced Detection: Select enable to view sub-protocols for a system defined application and protocols.
Application ID List: List of system defined application and /or custom applications that are blocked or monitored by the policy. Blocked applications are shown in red colour and applications that are only monitored are shown in green colour.
ESSID List: The name of the ESS profile configured for this policy. Clients that connect using this ESSID profile and accessing the monitored application.
AP Groups or APs: The list of APs that are configured for this policy. Clients that connected via these APs or AP groups and accessing the monitored application.
Owner: The owner is either controller or NMS. If the policy is created in the controller the owner is listed as controller.
Search: To locate a specific policy by Name, AP, ESS, or owner, enter the keyword in the search box and hit the Enter key. This will highlight the corresponding row that matches the keyword. To filter the display based on Status, select the status (from the dropdown) to highlight the corresponding rows.
Policy Reordering: Policies are executed in the order they are displayed. To reorder policy priority, click the Reorder button and use the arrows in the action column to move them up or down the listing order. You must save this for the reorder changes to take effect.

In the following illustration, the ESSID MTS and APID AP-8 appear in both corporate-1 and corporate-2 policies. The corporate-1 policy allows Facebook traffic and corporate-2 blocks Facebook traffic. Since corporate-1 is higher in the order than corporate-2, Facebook will be allowed and not blocked. However, for AP-10 Facebook will be blocked as per corporate-2 policy.

Custom Applications

Custom applications are user-defined applications that are not part of the system defined applications. You can add a maximum of 32 applications in the controller and a maximum of 32 applications on Network Manager.

A custom application is a combination of one or more of the following:

Predefined L4 and L7 protocols
Source and/or Destination Ports
User Agents
Any HTTP/HTTPS URL
Destination IP

Creating a Custom Application and assigning it to a Policy

To create a custom application, go to Application > Settings > Custom Applications and click the Add
Enter properties for the custom application and click Save. In this simple example, traffic from www.bbc.com will be monitored.
Add custom application to a policy. Use the same steps mentioned in See “Example” on page 408. But in the sub-step 4 of the figure, scroll down to very end to location the custom application. Select the custom application and then select policy setting.

DPI Dashboard

The DPI dashboard shows applications that are configured for monitoring (detect) only. Applications that are blocked are not displayed in the dashboard as they are dropped by the AP.

The graph displays a pie chart with the top 10 applications (by usage) that are monitored.
The list of top 10 stations that are connected to one or more of the top 10 applications. This does not represent the usage of a specific application by the station.
List of APs that are passing traffic for one or more of the top 10 applications
List of ESS profiles that are passing traffic for one or more of the top 10 applications
This table lists the top 10 application and displays numerical (integer) statistics about number of stations, ESS profiles, APs and traffic size in bytes.
This table shows historical data for application traffic in the last 24 hours.

Using CLI

Creating a Policy

In the config mode, use the app‐visibility‐policy <policy‐name> command.
Enable the status using the state enable command
Specify the application id and the policy type using appids <application‐ID>:<type> Use A, to allow and monitor the traffic usage

Use B, to block traffic.

In a single policy you can add rules to monitor and block application traffic.

mc1500(15)(config)# app‐visibility‐policy CorpNet mc1500(15)(config‐app‐visibility‐policy)# description “” mc1500(15)(config‐app‐visibility‐policy)# state enable mc1500(15)(config‐app‐visibility‐policy)# appids 6:B mc1500(15)(config‐app‐visibility‐policy)# essids stability mc1500(15)(config‐app‐visibility‐policy)# apids “5:A” mc1500(15)(config‐app‐visibility‐policy)# owner controller mc1500(15)(config‐app‐visibility‐policy)# version 0 mc1500(15)(config‐app‐visibility‐policy)# exit

To View the list of policies and type configured for a specific AP, use the show applicationvisibility policy‐config‐service <app‐id> command.

mc1500(15)# show application‐visibility policy‐config‐service 5

AP ESSID APPID Action

5 1 2 Allow

5 1 5 Allow

5 1 6 Block

5 1 8 Allow

5 1 24 Allow

5 1 32 Allow

5 1 41 Allow

5 1 70 Allow

Application Visibility Policy Service(8)

Legends

Figure 71: DPI Config Option Legends

Label Description

When used for an application, it means to allow, detect, and monitor the application traffic.
Used to detect and block the application traffic

A When use as an AP-ID, refers to adding an individual AP.

L Used to add an ap-group to a policy.

Monitoring Policies

mc1500(15)# sh service‐summary Application‐Visibility

Feature Type Name Value ValueStr

Application‐Visibility Application myspace 100 {“util”:3006.76,”tx”:6943001576,”rx”:257651566}

Application‐Visibility Application amazon_cloud 0 {“util”:474.84,”tx”:1093389603,”rx”:43774451}

Application‐Visibility Application facebook 0 {“util”:184.00,”tx”:421673492,”rx”:18973696}

Application‐Visibility Application twitter 0 {“util”:164.58,”tx”:358628579,”rx”:35513363}

Application‐Visibility Application unknown 0 {“util”:97.92,”tx”:221291109,”rx”:13202213}

Application‐Visibility Application amazon_shop 0 {“util”:77.81,”tx”:162324404,”rx”:24026568}

Application‐Visibility Application linkedin 0

{“util”:48.60,”tx”:109814218,”rx”:6565367}

Application‐Visibility Application youtube 0 {“util”:

1.34,”tx”:2910287,”rx”:292302}

Application‐Visibility Station 58:94:6b:b5:ca:c4 100 {“util”:591.86,”tx”:1364192275,”rx”:53208638}

Application‐Visibility Station 00:27:10:cb:90:40 0 {“util”:571.51,”tx”:1317000065,”rx”:51657115}

Application‐Visibility Station 10:0b:a9:44:f6:ac 0

{“util”:297.04,”tx”:681777356,”rx”:29579769}

Application‐Visibility Station 24:77:03:80:4c:60 0 {“util”:294.30,”tx”:676177538,”rx”:28620457}

Application‐Visibility Station 84:3a:4b:48:1e:c0 0 {“util”:291.67,”tx”:668985331,”rx”:29513381}

Application‐Visibility Station 24:77:03:80:2e:48 0 {“util”:287.46,”tx”:660217415,”rx”:28188180}

Application‐Visibility Station 08:11:96:7d:cf:80 0 {“util”:286.78,”tx”:657504303,”rx”:29271859}

Application‐Visibility Station 24:77:03:80:a4:40 0 {“util”:281.94,”tx”:646183947,”rx”:29009375}

Application‐Visibility Station 24:77:03:80:5f:54 0 {“util”:280.23,”tx”:645624714,”rx”:25475052}

Application‐Visibility Station 24:77:03:85:b4:50 0 {“util”:279.89,”tx”:641592459,”rx”:28689908}

Application‐Visibility EssId stability 100 {“util”:4055.84,”tx”:9313033268,”rx”:399999526}

Application‐Visibility AP AP‐109 100 {“util”:4055.84,”tx”:9313033268,”rx”:399999526} Service Data Summary(20 entries) mc1500(15)# sh ap

ap ap‐certificate ap‐discovered ap‐onlinehistory ap‐reboot‐event ap‐redirect applicationvisibility

ap‐assigned ap‐connectivity ap‐neighbor ap‐rebootcount ap‐reboot‐top10 ap‐swap mc1500(15)# sh application‐visibility application‐summary

APPID Name Station Counts AP Counts ESS Counts Tx Bytes Rx Bytes TxRx Bytes

5 myspace 12 1 1 7274981850 269918317 7544900167

24 amazon_cloud 13 1 1 1149026229 45994062 1195020291

2 facebook 13 1 1 443832821 19962877 463795698

8 twitter 13 1 1 375850987 37259491 413110478

0 unknown 20 1 1 233565871 13899667 247465538

70 amazon_shop 13 1 1 170637983 25318821 195956804

41 linkedin 12 1 1 115430025 6896689 122326714

32 youtube 13 1 1 3022484 304784 3327268 Application Visibility Statistics Summary(8) mc1500(15)#

mc1500(15)# sh service‐summary‐trend Application‐Visibility

Feature Type Name StartTime

EndTime Value ValueStr

Application‐Visibility Application myspace 01/17/2009

01:00:00 01/17/2009 02:00:00 370191907

{“util”:254501.59,”tx”:3561906268,”rx”:140012805}

Application‐Visibility Application amazon_cloud 01/17/2009

01:00:00 01/17/2009 02:00:00 523131985

{“util”:35964.57,”tx”:502700232,”rx”:20431753}

Application‐Visibility Application twitter 01/17/2009

01:00:00 01/17/2009 02:00:00 221967525

{“util”:15259.95,”tx”:202733592,”rx”:19233933}

Application‐Visibility Application facebook 01/17/2009

01:00:00 01/17/2009 02:00:00 220636588

{“util”:15168.45,”tx”:210304218,”rx”:10332370}

Application‐Visibility Application unknown 01/17/2009

01:00:00 01/17/2009 02:00:00 113502079

{“util”:7803.10,”tx”:106412520,”rx”:7089559}

Application‐Visibility Application amazon_shop 01/17/2009

01:00:00 01/17/2009 02:00:00 106703142

{“util”:7335.69,”tx”:93322094,”rx”:13381048}

Application‐Visibility Application linkedin 01/17/2009

01:00:00 01/17/2009 02:00:00 58696435

{“util”:4035.30,”tx”:55165018,”rx”:3531417}

Application‐Visibility Application youtube 01/17/2009

01:00:00 01/17/2009 02:00:00 1454576

{“util”:100.00,”tx”:1315107,”rx”:139469}

Application‐Visibility Application myspace 01/17/2009

02:00:00 01/17/2009 03:00:00 781850640

{“util”:264335.11,”tx”:7508697893,”rx”:309808509}

Application‐Visibility Application amazon_cloud 01/17/2009

02:00:00 01/17/2009 03:00:00 112454581

{“util”:38019.66,”tx”:1078606475,”rx”:45939338}

Application‐Visibility Application facebook 01/17/2009

02:00:00 01/17/2009 03:00:00 472612999

{“util”:15978.53,”tx”:448955762,”rx”:23657237}

Application‐Visibility Application twitter 01/17/2009

02:00:00 01/17/2009 03:00:00 442033093

{“util”:14944.65,”tx”:401239344,”rx”:40793749}

Application‐Visibility Application amazon_shop 01/17/2009

02:00:00 01/17/2009 03:00:00 229558452

{“util”:7761.12,”tx”:202329371,”rx”:27229081}

Application‐Visibility Application unknown 01/17/2009

02:00:00 01/17/2009 03:00:00 215482783

{“util”:7285.24,”tx”:200402948,”rx”:15079835}

Application‐Visibility Application linkedin 01/17/2009

02:00:00 01/17/2009 03:00:00 125984872

{“util”:4259.41,”tx”:118235346,”rx”:7749526}

Application‐Visibility Application youtube 01/17/2009

02:00:00 01/17/2009 03:00:00 2957801

{“util”:100.00,”tx”:2659330,”rx”:298471}

Application‐Visibility Application myspace 01/17/2009

03:00:00 01/17/2009 04:00:00 859492100

{“util”:269614.13,”tx”:8269499897,”rx”:325421104}

Application‐Visibility Application amazon_cloud 01/17/2009

03:00:00 01/17/2009 04:00:00 116518953

{“util”:36550.84,”tx”:1119128571,”rx”:46060960}

Application‐Visibility Application facebook 01/17/2009

03:00:00 01/17/2009 04:00:00 461844358

{“util”:14487.60,”tx”:440897736,”rx”:20946622}

Application‐Visibility Application twitter 01/17/2009

03:00:00 01/17/2009 04:00:00 408573605

{“util”:12816.55,”tx”:369504893,”rx”:39068712}

Application‐Visibility Application unknown 01/17/2009

03:00:00 01/17/2009 04:00:00 237048541

{“util”:7435.98,”tx”:221824322,”rx”:15224219}

Application‐Visibility Application amazon_shop 01/17/2009

03:00:00 01/17/2009 04:00:00 204090068

{“util”:6402.10,”tx”:178965615,”rx”:25124453}

Application‐Visibility Application linkedin 01/17/2009

03:00:00 01/17/2009 04:00:00 121917540

{“util”:3824.43,”tx”:114827231,”rx”:7090309}

Application‐Visibility Application youtube 01/17/2009

03:00:00 01/17/2009 04:00:00 3187860

{“util”:100.00,”tx”:2879796,”rx”:308064}

Service Data Summary Trend(24 entries)

Additional capabilities in Application Visibility include the following:

Blocked traffic statistics
Support for wired clients using port profile
Bandwidth throttling
DSCP Markings

Blocked Statistics

The dashboard now provides detailed statistics on blocked traffic.

The BLOCKED APPLICATIONS section provides the following statistics:

Application Name: The application traffic set to be blocked.
# of Active Users: The number of users requesting access to the application.
# of Active APs: The APs that block the traffic.
# of ESSIDs / Port: The ESSID and Port profile connected to the wireless and wired clients.
Utilization: Shows how much traffic is blocked.

Support for Wired Clients

You can add port profiles to enable adding wired clients to detect, block, or bandwidth control traffic. The new policy page is updated to list port profiles created in the controller. A policy can be created with a mix of both ESSID and Port Profiles or only with ESS profiles or only with port profiles. The following is an example to create a policy and view policy details for wired ports via CLI. default(15)# configure terminal default(15)(config)# default(15)(config)# app‐visibility‐policy wiredPorts default(15)(config‐app‐visibility‐policy)# default(15)(config‐app‐visibility‐policy)# port‐profiles wired‐profile default(15)(config‐app‐visibility‐policy)# state enable default(15)(config‐app‐visibility‐policy)# appids * default(15)(config‐app‐visibility‐policy)# advanced‐detection enable

You can use comma separated values to add multiple port profiles.

Example: default(15)(config‐app‐visibility‐policy)# port‐profiles wiredprofile,default

View Policy Details

default(15)# sh application‐visibility policy wiredPorts

Application Visibility Policy Policy Name : wiredPorts

Policy Order : 2

Description :

Policy : enable

Advanced Detection : enable

Bandwidth Limiting : disable

Application ID List : *

ESSID List :

AP Groups or APs :

Owner : controller Port Profile List : wired‐profile default(15)#

Bandwidth Throttling

You can enforce bandwidth usage limits on selected applications.

To enable bandwidth throttle, create a policy and select Enable option for Bandwidth Limits.
Select ESSID or Port Profile.
Specify maximum bandwidth limits for clients and SSID/Port.

Minimum Maximum

Client 150 kbps 1 Gbps

ESSID / Port Profile 150 kbps 12 Gbps Limitations:

Bandwidth throttle can be implemented on a maximum of 10 applications (individually or cumulatively across policies).
When enabled the bandwidth throttling policy is applicable to all APs. AP and AP group selection is not available.
The maximum bandwidth value configured for a client usage must be less than or equal to the value configured in ESSID or port traffic usage.
Supported only for client traffic with tunnelled profile.

DSCP Markings

You can now add a DSCP value to application traffic (upstream: AP to controller and downstream: AP to station) to change its priority. The DSCP value for the selected application is used to mark the detected application traffic (to wireless or wired STA).

When a DSCP value is applied to application traffic, this value and the associated priority is maintained till the next node in the traffic. If the traffic carrying the DSCP value encounters a QoS-aware switch, then the DSCP value may be overridden by a QoS value specified by the switch.

In a downstream traffic, the DSCP value is applied by the controller before forwarding to the AP. This is supported for ESSID’s in tunnelled mode only.

NOTE: DSCP markings can be added to a maximum of 10 applications (includes all policies).

To assign DSCP value to application traffic, do the following:

Go to Configuration > Access Control > Application > Policies tab.
Click the Add button to add a new Policy.

In the new Policy enter the following details

Name for the policy.
Select Enable to activate the policy
Select ESS profile
Select AP or AP group
Now click the add icon to view list of applications
Selection applications to be marked with DSCP values
For the listed application, you can specify individual DSCP values from the dropdown under DSCP Marking column.

Valid DSCP value strings

af11
af12 af13 • af21 • af22 • af23 • af31 • af32 • af33 • af41 • af42
af43
cs0 cs1 • cs2 • cs3 • cs4 • cs5 • cs6
cs7
no
ef

For more details about DSCP values, see: https://tools.ietf.org/html/rfc4594

CLI Commands

To enable DSCP marking for downstream traffic, use the following command: default(15)(config)# app‐visibility‐config controller‐dscp‐marking‐state enable

The following command format configures DSCP marking and specifies bandwidth restrictions:

<app‐id>:A or B|C:<per‐client‐bw‐value>:<bw‐unit>|E:<per‐ess‐bw‐value>:<bwunit>|D:<dscp‐string>

Application Id – <app-id:>
Rule type (A- allow, B – block) – < A or B>
Per client bandwidth limit – C:<bw-value>:<bw-unit> [Supported units K, M, G]
Per ESSID bandwidth limit – E:<bw-value>:<bw-unit> [Supported units K, M, G]
DSCP value – D:<dscp-value-string> [Supported values]

Example:

2:A|C:150:K|E:1:M|D:af11

The above command will allow traffic for application with id 2, limit bandwidth for client and ESS profile accessing this application traffic to 150 kilobits and 1 Megabits respectively, and set the DSCP for upstream traffic to af11.

Best Practices

The following is a recommended best practice while create application visibility policies. • While it is possible to create a single policy that can detect, block, or enforce bandwidth limits, it is recommended that you create individual policies that independently detect, block, or enforce bandwidth limits.

Policies are prioritized in the following order
Block
Bandwidth Throttling
Detect (General)

Application Visibility (DPI)

Limitations and Recommendations

Enable Application Visibility

Creating a Policy

Example

List of policies

Custom Applications

Creating a Custom Application and assigning it to a Policy

DPI Dashboard

Using CLI

Creating a Policy

Monitoring Policies

Blocked Statistics

Support for Wired Clients

View Policy Details

Bandwidth Throttling

DSCP Markings

Valid DSCP value strings

CLI Commands

Best Practices

Trending Articles