Beruflich Dokumente
Kultur Dokumente
FORTINET
Application Control
In this lesson, you will learn about how to control network applications beyond simply
blocking or allowing a port number.
DO NOT REPRINT
FORTINET
Application Control
After completing this lesson, you should have these practical skills to apply application
control, keep it up-to-date, and monitor what applications are being used on your
network.
Lab exercises can help you to reinforce what youve learned.
DO NOT REPRINT
FORTINET
Application Control
Application control detects applications often, ones that waste bandwidth and
allows you to monitor and/or block the traffic. Like other UTM inspection, to use
application control, you must first set it up.
Unlike other forms of UTM, such as web filtering or antivirus, application control isnt
applied by a proxy. It uses IPSEngine. So it doesnt operate by built-in protocol states.
It matches patterns in the entire byte stream of the packet.
By comparison, when applying web filtering and antivirus via HTTP proxy, the proxy
first parses HTTP and removes the protocol, and then scans only the payload inside.
Why does FortiGate use a flow-based scan for application control?
DO NOT REPRINT
FORTINET
Application Control
DO NOT REPRINT
FORTINET
Application Control
DO NOT REPRINT
FORTINET
Application Control
Peer-to-peer downloads divide each file among multiple (theoretically unlimited) peers.
Each peer delivers part of the file. Interestingly, where many clients is a disadvantage
for client-server architectures, it is an advantage for peer-to-peer: as the number of
peers increases to n, the file is delivered n times faster.
Because popularity increases the speed of delivery unlike traditional client-server
architecture, where popularity could effectively cause a denial of service attack on the
server some software, such as BitTorrent distributions of Linux, and games
distributing new patches, leverage this advantage. Even if each client has little
bandwidth, together, they can offer more bandwidth for the download than many
powerful servers.
Conversely, in order to download the file, this also means that the requesting peer can
consume much more bandwidth per second than it could from only a single server.
Even if there is only one peer on your network, it can consume unusually large
amounts. And because the protocols are usually evasive, and there will be many
sessions to many peers, they are difficult to completely block. In a DHCP LAN or guest
Wi-Fi, where the inside peer doesnt have a static IP address or even predictable
physical location, it can be extremely difficult to find and stop.
DO NOT REPRINT
FORTINET
Application Control
So how does application control block these applications, and more? It scans packets
passing through the FortiGate, and looks for patterns.
A particular application, such as Google Talk, is identified by matching known patterns
to its transmission patterns. So obviously it can only be accurately identified if this
stream is unique somehow. Not every application behaves in a unique way. Many reuse pre-existing, standard protocols and communications methods. For example,
many video games such as World of Warcraft now use the BitTorrent protocol to
distribute game patches.
Application control only scans the network traffic. Application control doesnt scan
software installed on the client; this would require software to be installed on the
endpoint, such as a FortiScan agent. So it wont detect software until it starts and
connects to the network.
Application control does not use FortiGates proxies. So unlike some other UTM profiles, you cant
switch between proxy- and flow-based inspection.
DO NOT REPRINT
FORTINET
Application Control
Before you try to control applications, its important to understand how that works.
How does application control detect the newest applications, and changes to those application
protocols?
To do this, you can configure your FortiGate to automatically update its application control signature
database, in the same way that it polls FortiGuard for new IPS signatures.
The extended IPS signature package includes more application control signatures. So if you dont find
the ones you need initially, you can enable that option to download more.
DO NOT REPRINT
FORTINET
Application Control
To view the signatures that your FortiGate has downloaded, click the View Application
Signatures link in the application control profile.
Remember, if you did not enable download of the extended IPS database, FortiGuard
may have more signatures available that you do not see in the GUI. To see those, visit
the FortiGuard web site.
DO NOT REPRINT
FORTINET
Application Control
On the FortiGuard web site, you can read details about each signatures related
application. Lets look at an example.
This is the article for Google Talk. It is an instant messenger, so Fortinet has put it in
the Collaboration category. The article mentions that Google Talk, like many instant
messengers now, uses the Jabber protocol. So if you block the application, the logs
may show the Jabber protocol, even though the application that the user has installed
is named Google Talk.
If there are any special requirements in order to scan or block the application, the
article provides some advice. But its always wise to search the Internet for more
information, and to make test policies and observe the behavior.
At the top of the page, youll also notice a risk rating
DO NOT REPRINT
FORTINET
Application Control
When building an application control signature, FortiGuards security research team evaluates the
application and assigns a risk level. It is based on the types of security risk. The rating is Fortinetspecific, and not related to CVSS or other external systems.
If you arent aware of specific software, this information can help you to decide if it would be wise to
block the software or not.
DO NOT REPRINT
FORTINET
Application Control
If there are new applications that you need to control, and the latest update doesnt
have any definitions for them, you can ask FortiGuard to add them.
Remember, though, that not all applications can be uniquely defined. That is to say,
there must be something about the traffic that can be used to differentiate it from other
similar traffic: traffic that occurs on the same port, or via the same protocol.
DO NOT REPRINT
FORTINET
Application Control
Once you have a signature, the next step is to define your settings to control it. Do this in an application
sensor.
Then, to apply your application control settings, select the profile in the firewall policy .
Like any other security profile, these settings are not global. FortiGate will only apply them to traffic
governed by the firewall policy where youve selected an application control profile. This allows granular
control.
DO NOT REPRINT
FORTINET
Application Control
Did you see these two at the end of the list of categories? They are catch-all
categories:
All Other Known Applications
All Other Unknown Applications
All Other Known Applications matches traffic that can be identified, but that, in the
profile, you did not explicitly enable. This is because some categories are only directly
configurable through the CLI: the ones that are in the extended IPS database.
All Other Unknown Applications matches traffic that could not be identified. Application
control will create a log entry that says the traffic is an Unknown Application.
Depending on:
how many rare applications your users have
which IPS database you are using (remember, the default IPS database can identify
fewer rare applications than the extended one)
this might cause many log entries. Frequent log entries decrease performance.
DO NOT REPRINT
FORTINET
Application Control
Once youve applied application control, FortiGate will start to scan packets for
matches. It will do this in a specific order.
There are two major sections to the application control profile:
Categories is at the top
Application Overrides below Categories
First, IPSEngine examines the traffic stream for a signature match. If youve configured
any overrides, application control considers those first. It looks for a matching override
starting at the top of the list, like firewall policies. If no matching override exists, then
application control applies the action that youve configured for applications in your
selected categories.
Multiple overrides for the same signature cannot be created.
DO NOT REPRINT
FORTINET
Application Control
Which is the correct action to select? It depends on the application. If an application requires feedback to
prevent instability or other unwanted behavior, then you might use Reset instead of Block. If you need
to allow the application but prevent it from starving other applications of bandwidth, then traffic shaping
might be a good choice. Otherwise, the most efficient use of FortiGate resources to simply block.
DO NOT REPRINT
FORTINET
Application Control
Order of scans is introduced in the firewall policies lesson. But here is a review of the third phase: where
application control occurs.
Application control is later than many of FortiGates other scans and actions, such as for VPN ingress
and DoS.
But within UTM, it is one of the first scans. So if traffic is blocked by application control, FortiGate never
does later scans like web filtering or antivirus, even if those profiles use flow-based inspection from
IPSEngine, just like application control. But if you have configured application control to allow the traffic
not block it or reset the TCP connection then FortiGate will proceed to the next scans: email filtering,
web filtering, and antivirus. Because each scan can have exemptions, this has some interesting effects.
DO NOT REPRINT
FORTINET
Application Control
Here is an example of how several UTM features could work together, overlap, or as substitutes, on the
same traffic.
In this profile, application control (in general) blocks the categories Social.Media and Video/Audio. For
those applications, FortiGate responds with application controls HTTP block message. (Its slightly
different than web filterings HTTP block message.) But at the bottom of this profile, there are some
exceptions. Instead of blocking, application control applies traffic shaping to Facebook and YouTube.
After the application control scan is done, FortiGate begins other scans, such as web filtering. This, too,
could block Facebook and YouTube, but it would use its own message. Also, web filtering doesnt check
the list of application control overrides. So even if an application control override allows and rate
limits an app, web filtering could still block it.
Similarly, static URL filtering has its own Exempt action, which bypasses all subsequent security
checks. However, application control occurs before web filtering, so that web filtering exemption cant
bypass application control.
DO NOT REPRINT
FORTINET
Application Control
For HTTP-based applications, application control can provide some feedback to the user about why their
application was blocked. This is called a block page, and its similar to the one you can configure for
URLs that you block via FortiGuard Web Filtering.
The block page says:
which signature detected the application (in this case, HTTP.Browser_Firefox)
the signatures category (Web.Others)
the URL that was specifically blocked (in this case, the index page of msn.com), since a web page
can be assembled from multiple URLs
the clients source IP (10.0.1.10)
the servers destination IP (23.101.196.141)
user name (if authentication is enabled)
the UUID of the policy governing the traffic
and the FortiGates host name
The last two pieces of information can help you to find which FortiGate blocked the page, even if you
have a large network with many FortiGates securing different segments.
DO NOT REPRINT
FORTINET
Application Control
DO NOT REPRINT
FORTINET
Application Control
Lets say that you have enabled application control because users have been
complaining that the network is slow. During peak times, you notice that there is no
bandwidth remaining. Application control with the Monitor action selected showed
that many users were using YouTube, and it correlated to periods of bandwidth
saturation.
How could you solve this?
With web filtering, you can see that www.youtube.com is often accessed, but it doesnt
analyze the function of each URL. And it cant apply traffic shaping.
Alternatively, since YouTube generates large volumes of traffic, you could use
application control signatures with a traffic shaping action. Lets examine the details of
how that could work.
21
DO NOT REPRINT
FORTINET
Application Control
Not all URL requests to www.youtube.com are for video. Your browser makes several HTTP
requests for:
the web page itself
Images
Scripts and style sheets
Video
and all of them have separate URLs. If you analyze a site like YouTube, the web pages themselves
doesnt use much bandwidth. Mostly, the culprit is the video.
But since it is all transported via the same protocol (HTTPS), and the URLs contain dynamically
generated alphanumeric strings:
traditional firewall policies cant block or throttle it by port number/protocol, which are all the same
web filtering cannot apply traffic shaping
With application control, you can rate limit only the videos. This prevents users from saturating your
network bandwidth while still allowing them to access the other content on the site, such as for
comments or sharing links.
DO NOT REPRINT
FORTINET
Application Control
At the bottom of the application sensor, there are more options that affect how application control
functions.
Deep Inspection of Cloud Applications does not enable SSL Inspection. Many applications are
switching to HTTPS-only, so remember that for those, you will also need an SSL/SSH inspection
profile. This includes many popular ones, such as Twitter. If the application is encrypted, and you
havent enabled SSL/SSH inspection, then application control wont be able to recognize the application.
If you choose to enable Allow and Log DNS Traffic, be aware that you should only do it for short
periods, such as during an investigation. Leaving this option enabled for long periods can impact
performance and cause premature disk failure. One log is created per packet. So depending on the
application, and how often it queries DNS servers, this can use significant system resources.
Replacement Messages for HTTP-based Applications allows you to replace blocked content with an
explanation for the users benefit. Application control can also link into the Fortinet Bar, if that has been
enabled. With non-HTTP applications, however, you can only drop the packets or reset the TCP
connection.
DO NOT REPRINT
FORTINET
Application Control
If you have logging enabled, you can use it to discover which applications are being used on your
network, and details about them. Look in Log & Report > Security Log > Application Control.
In this example, application control detected a client attempting to access Facebook. The configured
action was to monitor the traffic. We know this because the Action indicates pass, so we know
FortiGate didnt block the traffic. But the action wasnt to simply allow the traffic without logging, either,
which we know because the log message exists.
To view details about the log message, click its entry. The application name is a link to the FortiGuard
encyclopedia web site. If you were unaware of the application, and dont know what type of risks it
presents, you could click the link to read more.
DO NOT REPRINT
FORTINET
Application Control
If you look in the forward traffic log, where firewall policies record activity, youll also find a summary of
traffic where FortiGate applied application control. Again, this is because application control is applied by
a firewall policy.
To find which policy applied application control, you can use either the Policy ID or the Policy UUID
fields of this log message.
DO NOT REPRINT
FORTINET
Application Control