DO NOT REPRINT

FORTINET

Application Control

In this lesson, you will learn about how to control network applications beyond simply
blocking or allowing a port number.

DO NOT REPRINT
FORTINET

Application Control

After completing this lesson, you should have these practical skills to apply application
control, keep it up-to-date, and monitor what applications are being used on your
network.
Lab exercises can help you to reinforce what youve learned.

DO NOT REPRINT
FORTINET

Application Control

Application control detects applications often, ones that waste bandwidth and
allows you to monitor and/or block the traffic. Like other UTM inspection, to use
application control, you must first set it up.
Unlike other forms of UTM, such as web filtering or antivirus, application control isnt
applied by a proxy. It uses IPSEngine. So it doesnt operate by built-in protocol states.
It matches patterns in the entire byte stream of the packet.
By comparison, when applying web filtering and antivirus via HTTP proxy, the proxy
first parses HTTP and removes the protocol, and then scans only the payload inside.
Why does FortiGate use a flow-based scan for application control?

DO NOT REPRINT
FORTINET

Application Control

Because proxies cant easily detect peer-to-peer applications.

When HTTP and other protocols were designed, they were designed to be easy to
trace. In that way, administrators could easily give access to single servers behind NAT
devices such as routers and, later, firewalls.
But when peer-to-peer applications were designed, they had to be able to work without
assistance or cooperation from the network administrators. In order to achieve this,
the designers made them skilled at bypassing firewalls, and incredibly hard to detect.
Port randomization, pinholes, and changing encryption patterns are some of the
techniques that P2P protocols use.
These techniques make them difficult to bock via firewall policy, and also make them difficult to proxy.

DO NOT REPRINT
FORTINET

Application Control

Lets show how this works.

Here is a traditional, client-server architecture. There may be many clients of popular
sites, but often, such as with an office file server, its just between one client and one
server.
Traditional downloads use a defined protocol over a standard port number. Whether its
from a web or FTP site, the download is from a single IP address, to a single IP
address. So blocking this kind of traffic is easy: you only need one firewall policy.
But its more difficult for peer-to-peer downloads. Why?

DO NOT REPRINT
FORTINET

Application Control

Peer-to-peer downloads divide each file among multiple (theoretically unlimited) peers.
Each peer delivers part of the file. Interestingly, where many clients is a disadvantage
for client-server architectures, it is an advantage for peer-to-peer: as the number of
peers increases to n, the file is delivered n times faster.
Because popularity increases the speed of delivery unlike traditional client-server
architecture, where popularity could effectively cause a denial of service attack on the
server some software, such as BitTorrent distributions of Linux, and games
distributing new patches, leverage this advantage. Even if each client has little
bandwidth, together, they can offer more bandwidth for the download than many
powerful servers.
Conversely, in order to download the file, this also means that the requesting peer can
consume much more bandwidth per second than it could from only a single server.
Even if there is only one peer on your network, it can consume unusually large
amounts. And because the protocols are usually evasive, and there will be many
sessions to many peers, they are difficult to completely block. In a DHCP LAN or guest
Wi-Fi, where the inside peer doesnt have a static IP address or even predictable
physical location, it can be extremely difficult to find and stop.

DO NOT REPRINT
FORTINET

Application Control

So how does application control block these applications, and more? It scans packets
passing through the FortiGate, and looks for patterns.
A particular application, such as Google Talk, is identified by matching known patterns
to its transmission patterns. So obviously it can only be accurately identified if this
stream is unique somehow. Not every application behaves in a unique way. Many reuse pre-existing, standard protocols and communications methods. For example,
many video games such as World of Warcraft now use the BitTorrent protocol to
distribute game patches.
Application control only scans the network traffic. Application control doesnt scan
software installed on the client; this would require software to be installed on the
endpoint, such as a FortiScan agent. So it wont detect software until it starts and
connects to the network.
Application control does not use FortiGates proxies. So unlike some other UTM profiles, you cant
switch between proxy- and flow-based inspection.

DO NOT REPRINT
FORTINET

Application Control

Before you try to control applications, its important to understand how that works.
How does application control detect the newest applications, and changes to those application
protocols?
To do this, you can configure your FortiGate to automatically update its application control signature
database, in the same way that it polls FortiGuard for new IPS signatures.
The extended IPS signature package includes more application control signatures. So if you dont find
the ones you need initially, you can enable that option to download more.

DO NOT REPRINT
FORTINET

Application Control

To view the signatures that your FortiGate has downloaded, click the View Application
Signatures link in the application control profile.
Remember, if you did not enable download of the extended IPS database, FortiGuard
may have more signatures available that you do not see in the GUI. To see those, visit
the FortiGuard web site.

DO NOT REPRINT
FORTINET

Application Control

On the FortiGuard web site, you can read details about each signatures related
application. Lets look at an example.
This is the article for Google Talk. It is an instant messenger, so Fortinet has put it in
the Collaboration category. The article mentions that Google Talk, like many instant
messengers now, uses the Jabber protocol. So if you block the application, the logs
may show the Jabber protocol, even though the application that the user has installed
is named Google Talk.
If there are any special requirements in order to scan or block the application, the
article provides some advice. But its always wise to search the Internet for more
information, and to make test policies and observe the behavior.
At the top of the page, youll also notice a risk rating

DO NOT REPRINT
FORTINET

Application Control

When building an application control signature, FortiGuards security research team evaluates the
application and assigns a risk level. It is based on the types of security risk. The rating is Fortinetspecific, and not related to CVSS or other external systems.
If you arent aware of specific software, this information can help you to decide if it would be wise to
block the software or not.

DO NOT REPRINT
FORTINET

Application Control

If there are new applications that you need to control, and the latest update doesnt
have any definitions for them, you can ask FortiGuard to add them.
Remember, though, that not all applications can be uniquely defined. That is to say,
there must be something about the traffic that can be used to differentiate it from other
similar traffic: traffic that occurs on the same port, or via the same protocol.

DO NOT REPRINT
FORTINET

Application Control

Once you have a signature, the next step is to define your settings to control it. Do this in an application
sensor.
Then, to apply your application control settings, select the profile in the firewall policy .
Like any other security profile, these settings are not global. FortiGate will only apply them to traffic
governed by the firewall policy where youve selected an application control profile. This allows granular
control.

DO NOT REPRINT
FORTINET

Application Control

Did you see these two at the end of the list of categories? They are catch-all
categories:
All Other Known Applications
All Other Unknown Applications
All Other Known Applications matches traffic that can be identified, but that, in the
profile, you did not explicitly enable. This is because some categories are only directly
configurable through the CLI: the ones that are in the extended IPS database.
All Other Unknown Applications matches traffic that could not be identified. Application
control will create a log entry that says the traffic is an Unknown Application.
Depending on:
how many rare applications your users have
which IPS database you are using (remember, the default IPS database can identify
fewer rare applications than the extended one)
this might cause many log entries. Frequent log entries decrease performance.

DO NOT REPRINT
FORTINET

Application Control

Once youve applied application control, FortiGate will start to scan packets for
matches. It will do this in a specific order.
There are two major sections to the application control profile:
Categories is at the top
Application Overrides below Categories
First, IPSEngine examines the traffic stream for a signature match. If youve configured
any overrides, application control considers those first. It looks for a matching override
starting at the top of the list, like firewall policies. If no matching override exists, then
application control applies the action that youve configured for applications in your
selected categories.
Multiple overrides for the same signature cannot be created.

DO NOT REPRINT
FORTINET

Application Control

Both categories and overrides actions are configurable.

Allow Simply passes the traffic

Monitor Passes the traffic, but also records a log message
Block Drops the detected traffic without notifying the client, and records a log message
Reset Resets the TCP connection, and records a log message
Traffic Shaping Rate limits the application so that it doesnt deprive more important traffic of
bandwidth, and also record a log message

Which is the correct action to select? It depends on the application. If an application requires feedback to
prevent instability or other unwanted behavior, then you might use Reset instead of Block. If you need
to allow the application but prevent it from starving other applications of bandwidth, then traffic shaping
might be a good choice. Otherwise, the most efficient use of FortiGate resources to simply block.

DO NOT REPRINT
FORTINET

Application Control

Order of scans is introduced in the firewall policies lesson. But here is a review of the third phase: where
application control occurs.
Application control is later than many of FortiGates other scans and actions, such as for VPN ingress
and DoS.
But within UTM, it is one of the first scans. So if traffic is blocked by application control, FortiGate never
does later scans like web filtering or antivirus, even if those profiles use flow-based inspection from
IPSEngine, just like application control. But if you have configured application control to allow the traffic
not block it or reset the TCP connection then FortiGate will proceed to the next scans: email filtering,
web filtering, and antivirus. Because each scan can have exemptions, this has some interesting effects.

DO NOT REPRINT
FORTINET

Application Control

Here is an example of how several UTM features could work together, overlap, or as substitutes, on the
same traffic.
In this profile, application control (in general) blocks the categories Social.Media and Video/Audio. For
those applications, FortiGate responds with application controls HTTP block message. (Its slightly
different than web filterings HTTP block message.) But at the bottom of this profile, there are some
exceptions. Instead of blocking, application control applies traffic shaping to Facebook and YouTube.
After the application control scan is done, FortiGate begins other scans, such as web filtering. This, too,
could block Facebook and YouTube, but it would use its own message. Also, web filtering doesnt check
the list of application control overrides. So even if an application control override allows and rate
limits an app, web filtering could still block it.
Similarly, static URL filtering has its own Exempt action, which bypasses all subsequent security
checks. However, application control occurs before web filtering, so that web filtering exemption cant
bypass application control.

DO NOT REPRINT
FORTINET

Application Control

For HTTP-based applications, application control can provide some feedback to the user about why their
application was blocked. This is called a block page, and its similar to the one you can configure for
URLs that you block via FortiGuard Web Filtering.
The block page says:
which signature detected the application (in this case, HTTP.Browser_Firefox)
the signatures category (Web.Others)
the URL that was specifically blocked (in this case, the index page of msn.com), since a web page
can be assembled from multiple URLs
the clients source IP (10.0.1.10)
the servers destination IP (23.101.196.141)
user name (if authentication is enabled)
the UUID of the policy governing the traffic
and the FortiGates host name
The last two pieces of information can help you to find which FortiGate blocked the page, even if you
have a large network with many FortiGates securing different segments.

DO NOT REPRINT
FORTINET

Application Control

If an application is necessary, but you do need to prevent it from impacting bandwidth

for more sensitive streaming applications such as video conferencing, then instead of
blocking it entirely you can rate limit the application.
Shaping traffic via application control is very useful when you are trying to limit traffic
that uses the same TCP or UDP port numbers as a mission-critical application. Some
high-traffic web sites such as YouTube can be throttled in this way.

DO NOT REPRINT
FORTINET

Application Control

Lets say that you have enabled application control because users have been
complaining that the network is slow. During peak times, you notice that there is no
bandwidth remaining. Application control with the Monitor action selected showed
that many users were using YouTube, and it correlated to periods of bandwidth
saturation.
How could you solve this?
With web filtering, you can see that www.youtube.com is often accessed, but it doesnt
analyze the function of each URL. And it cant apply traffic shaping.
Alternatively, since YouTube generates large volumes of traffic, you could use
application control signatures with a traffic shaping action. Lets examine the details of
how that could work.

21

DO NOT REPRINT
FORTINET

Application Control

Not all URL requests to www.youtube.com are for video. Your browser makes several HTTP
requests for:
the web page itself
Images
Scripts and style sheets
Video
and all of them have separate URLs. If you analyze a site like YouTube, the web pages themselves
doesnt use much bandwidth. Mostly, the culprit is the video.
But since it is all transported via the same protocol (HTTPS), and the URLs contain dynamically
generated alphanumeric strings:
traditional firewall policies cant block or throttle it by port number/protocol, which are all the same
web filtering cannot apply traffic shaping
With application control, you can rate limit only the videos. This prevents users from saturating your
network bandwidth while still allowing them to access the other content on the site, such as for
comments or sharing links.

DO NOT REPRINT
FORTINET

Application Control

At the bottom of the application sensor, there are more options that affect how application control
functions.
Deep Inspection of Cloud Applications does not enable SSL Inspection. Many applications are
switching to HTTPS-only, so remember that for those, you will also need an SSL/SSH inspection
profile. This includes many popular ones, such as Twitter. If the application is encrypted, and you
havent enabled SSL/SSH inspection, then application control wont be able to recognize the application.
If you choose to enable Allow and Log DNS Traffic, be aware that you should only do it for short
periods, such as during an investigation. Leaving this option enabled for long periods can impact
performance and cause premature disk failure. One log is created per packet. So depending on the
application, and how often it queries DNS servers, this can use significant system resources.
Replacement Messages for HTTP-based Applications allows you to replace blocked content with an
explanation for the users benefit. Application control can also link into the Fortinet Bar, if that has been
enabled. With non-HTTP applications, however, you can only drop the packets or reset the TCP
connection.

DO NOT REPRINT
FORTINET

Application Control

If you have logging enabled, you can use it to discover which applications are being used on your
network, and details about them. Look in Log & Report > Security Log > Application Control.
In this example, application control detected a client attempting to access Facebook. The configured
action was to monitor the traffic. We know this because the Action indicates pass, so we know
FortiGate didnt block the traffic. But the action wasnt to simply allow the traffic without logging, either,
which we know because the log message exists.
To view details about the log message, click its entry. The application name is a link to the FortiGuard
encyclopedia web site. If you were unaware of the application, and dont know what type of risks it
presents, you could click the link to read more.

DO NOT REPRINT
FORTINET

Application Control

If you look in the forward traffic log, where firewall policies record activity, youll also find a summary of
traffic where FortiGate applied application control. Again, this is because application control is applied by
a firewall policy.
To find which policy applied application control, you can use either the Policy ID or the Policy UUID
fields of this log message.

DO NOT REPRINT
FORTINET

Application Control

To review, here is what we discussed. We discussed:

How application control identifies traffic
Why some traffic, especially peer-to-peer, is hard to block without application control
FortiGuards 5-point rating system for application control signatures
How to submit requests for additional applications
How to configure an application control sensor
When to shape traffic
Order of operations for the application control and IPSEngine processes
How to read logs to discover which applications have been detected, and which
action FortiGate applied