Application Control

Understanding Application Control 

• Identifies network application traffic. 

• Such as P2P, Gmail, Facebook 

• P2P traffic uses dynamic ports and hard to block on traditional firewalls 

• Application Control can scan secure protocols 

• Uses an IPS engine in flow-based scan only. 

• Ensure FortiGuard has the latest updates and is licensed, check System > FortiGuard > Application Control Signatures. 

• Selecting Upgrade Database will force FortiGate to check for the latest updates. 

• Check Fortiguard.com for application control rating 

Application Control Profiles 

• Firstly, create the application control profile, go to Security Policies > Application Control 

• Next, apply the application control profile on a Firewall Policy. 

• The Application Control Profiles uses flow-based scanning. 

• Cloud Application requires Deep inspection. 

• UDP is not scanned in web filter. 

• QUIC is a Google protocol. 

Protocol Enforcement  

• Protocol Enforcement enables you block or monitor known services on unknown ports. Such as if a common service is opening on a different port. Example, HTTP operating on port 45,643.  

• Go to, Security Profiles > Application Control 

Scanning Order 

• Firstly, the FortiGate looks for any applications within the Application and Filter Overrides, then it looks at the Categories lists. 

Actions 

• Allow – Allow the traffic and do not log 

• Monitor – Allow the traffic and generate logs 

• Block – Restrict the traffic, that is drop packets and log 

• Quarantine – Block the traffic and log traffic until the expiration interval 

Policy-based Firewall Mode 

• When operating in policy-based mode, specific more specific policies on top the list while less specific policies are placed at the lower section of the list. 

• To view the list of security policies and their order, go to Policy & Objects > Security Policy. 

• If the FortiGate is operating in Policy-based, check System > Settings: 

Creating a new Security Policy 

• Go to, Policy & Objects > Security Policy 

Policy-based Central SNAT Policy 

• To create a SNAT policy, go to Policy & Objects > Central SNAT 

• Enable NAT, select IP Pool Configuration as: Use Outgoing Interface Address, and set Protocol as: Any. 

Traffic Shaping 

• To create traffic shaping policy, go to Policy & Objects > Traffic Shaping > Traffic Shaping Policies. 

• Shaping can be configured based on application category, application and application group. 

• Shaper: 

  • Shared sharper – Allows total bandwidth to all traffic using the shaper 

  • Reverse shaper – A type of shared shaper and it's applied in the reverse direction, from the external to internal interface. 

  • Per-IP shaper – Allows to all source IP addresses from the policy and the bandwidth is divided within the group. 

Enabling Application Control Logging 

• Logging is enable within a Security Policy, go to Policy & Objects > Security Policy. 

• To view the logs, click on Log & Report > Security Events. 

• Additionally, add a widget, Dashboard > Top Applications 

• Best practices: 

  • Not all application requires an application control scan. 

  • Do not apply internal to internal traffic flow. 

  • Use Deep-Inspection as the SSL/SSH inspection method. 

  • Use the hardware acceleration for application signature matching. 

  • Check the FortiGuard license and update status. 

  • Check for FortiGuard updates, use the execute update-now command. 

  • Go to System > FortiGuard