Application control examples
To help give a better understanding of how to implement Application Control and to give some ideas as to why it would be used, a number of examples of scenarios are included.
Blocking all instant messaging
Instant messaging use is not permitted at the Example Corporation. Application control helps enforce this policy. First you will create an application sensor with a single entry that includes all instant messaging applications. You will set the list action to block.
To create the application sensor
1. Go to Security Profiles > Application Control.
2. Select the Create New icon in the title bar of the Edit Application Sensor window.
3. In the Name field, enter no_IM for the application sensor name.
4. Left-click on the IM category.
5. From the dropdown select Block.
6. Select OK to save the new sensor. Next you will assign the sensor to a policy.
To enable application control and select the application sensor
1. Go to Policy & Objects > IPv4 Policy.
2. Select the security policy that allows the network users to access the Internet and choose Edit.
3. Under the heading Security Profiles toggle the button next to Application Control to turn it on.
4. In the drop down menu field next to the Application Control select the no_IM application sensor.
5. Select OK.
No IM use will be allowed by the security policy. If other firewall policies handle traffic that users could use for IM, enable application control with the no IM application sensor for those as well.
Allowing only software updates
Some departments at Example Corporation do not require access to the Internet to perform their duties. Management therefore decided to block their Internet access. Software updates quickly became an issue because automatic updates will not function without Internet access and manual application of updates is time- consuming.
The solution is configuring application control to allow only automatic software updates to access the Internet.
To create an application sensor — web-based manager
1. Go to Security Profiles > Application Control.
2. Select the Create New icon in the title bar of the Edit Application Sensor window.
3. In the Name field, enter Updates_Only as the application sensor name.
4. Using the left-click and drop down on the items in the Category lis..
a. Select Monitor from the dropdown menu.
b. Select Block for the rest of the categories.
5. Select OK.
To create an application sensor — CLI
config application list edit Updates_Only
config entries edit 1
set category 17 set action pass
end
set other-application-action block set unknown-application-action block
end
You will notice that there are some differences in the naming convention between the Web Based Interface and the CLI. For instance the Action in the CLI is “pass” and the Action in the Web Based Manager is “Monitor”.
Selecting the application sensor in a security policy
An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.
To select the application sensor in a security policy — web-based manager
1. Go to Policy & Objects > IPv4 Policy.
2. Select a policy.
3. Select the Edit icon.
4. Under the heading Security Profiles toggle the button next to Application Control to turn it on.
5. In the drop down menu field next to the Application Control select the Updates_only list.
6. Select OK.
To select the application sensor in a security policy — CLI
config firewall policy edit 1
set utm-status enable
set profile-protocol-options default set application-list Updates_Only
end
Traffic handled by the security policy you modified will be scanned for application traffic. Software updates are permitted and all other application traffic is blocked.