Control of applications
Fortinet FortiGate Application Control. Your primasecure.com can detect and intercept network traffic based on the application generating the traffic using the application control Security Profile feature. Application control uses FortiGate Intrusion Protection protocol decoders to log and manage the behaviour of application traffic passing through FortiGate. Even if traffic uses non-standard ports or protocols, application control uses IPS protocol decoders to detect application traffic.
Numerous applications can be recognized by the FortiGate unit. Application control sensors can be added to firewall regulations that control the traffic of the applications you need to monitor and the network on which they run. By continually adding applications to the FortiGuard Application Control Database, Fortinet is constantly expanding the list of applications it can detect with application control. The FortiGuard Intrusion Protection System Database and the application control database both share the same version number since intrusion protection protocol decoders are used for application control.
By going to the License Information dashboard widget and finding the IPS Definitions version, you can find out which version of the application control database is installed on your unit. To see all the applications FortiGuard supports, go to the FortiGuard Application Control List. All supported applications are listed on this web page. The details of any application can be viewed by selecting its name.
Concepts of application control
Network traffic can be controlled by its source or destination address, port, quantity, or similar attributes in the security policy. It may not be sufficient to precisely define traffic flow from a specific application using these methods. An application control feature addresses this issue by examining the traffic itself for unique signatures. No server addresses or ports are required for application control. Over 1000 applications, services, and protocols are supported by FortiGate.
Basic applications are automatically allowed
The alternative to listing each specific traffic individually is to block applications by category. Despite the fact that listing the applications individually gives a great deal of granularity it does tend to allow for missing some of them. Blocking traffic by category, however, has the disadvantage of blocking some traffic that was not intended to be blocked.
Default permissions may be appropriate for a number of basic applications. DNS, for instance. Your web browsing would be blocked if you blocked the category Network Services, unless your users are part of a very small group that uses IP addresses instead of URLs to browse the web. In the absence of DNS, URLs cannot be resolved into IP addresses.
Using the FortiGate’s CLI, the following traffic types can be automatically allowed, regardless of whether their category is blocked:
- Domain Name System
- Internet Control Protocol
- Web browsing via HTTP generically
- Communication over SSL in general
Applications for instant messaging
Some IM applications do not have the Application Control function in the Web Based Manager. Instead, they are handled by the CLI of FortiGate. The following applications are available:
- AIM
- ICQ
- MSN
- Yahoo
Application access is controlled by allowing or denying users access. IM accounts can be configured to enable or disable unknown users. The application determines whether or not the user should be added to a blacklist or whitelist based on a global policy.
In the CLI Reference guide, under the heading of imp2p, you can find details about how to configure these settings.
