Fortigate policy-based mode possible application shift issues.

Question

Hello All,

Interesting thing this Policy-Based NGFW mode compared to the profile-based default mode.

NGFW policy | FortiGate / FortiOS 7.6.3 | Fortinet Document Library

I played a little and when for example you have rule that blocks ssl before a rule that allows Web Browser app then it will never reach the second rule as the app shifts after some time like I have seen on other firewall vendors that policy-based modes for app control.

There should be an article how to see the application shift for a session for people using this mode, also a "diagnose debug" command as well for app control showing all the identifications for a session traffic like SSL > WEB Browser > SAAS app etc. As of now I think the default profile mode is better.

Screenshot 2025-07-26 121041.png

Robertdan99 · Answer

**Understanding and Resolving Application Shift Issues in FortiGate Policy-Based Mode**

### **Why This Happens**
Policy-based mode operates like a traditional firewall, evaluating rules **top-down** and taking the **first matching action**. Unlike profile-based mode (which can dynamically update handling as more traffic is analyzed), policy-based mode:
1. **Locks sessions to the first matched rule** – Once traffic hits your "Block SSL" rule, it won’t re-check later rules (even if the traffic later identifies as "Web Browser").
2. **Application shifts occur too late** – Apps like SaaS or Web Browser may only be detected *after* the session is already pinned to the blocking rule.

---

### **How to Fix It**

#### **Option 1: Reorder Rules Strategically**
- **Place broad allows above specific blocks**:
```
Rule 1: ALLOW "Web Browser" (any port)
Rule 2: BLOCK "SSL.VPN"
```
- *Why it works*: Lets Web Browser traffic match first, while still blocking unwanted SSL apps.

#### **Option 2: Combine Controls in One Rule**
- Use **application groups/overrides** in a single rule:
```
ALLOW "Web Browser" BUT BLOCK "SSL.VPN" in same policy
```
- *Why it works*: Forces FortiGate to evaluate all apps in the session under one rule.

#### **Option 3: Use Security Profiles**
- Enable **App Control + IPS + SSL Inspection** in the policy:
- Profiles can dynamically update handling as apps are identified.
- *Limitation*: This starts to resemble profile-based mode’s behavior.

---

### **Debugging Tools**
To trace application shifts in real-time:
```bash
# See app detection steps for a session:
diagnose debug application firewall list
diagnose debug enable

# Check session details (source/dest/port):
diagnose sys session filter <src_ip> <dst_ip> <port>
diagnose sys session list
```
*Look for*: `app=SSL` changing to `app=Web.Browser` mid-session.

---

### **When to Use Policy-Based Mode**
- **Best for**: Simple policies where order is predictable (e.g., "Block all social media, allow everything else").
- **Avoid for**: Complex app control (stick with profile-based mode if apps shift categories).

**Analogy**:
Policy-based mode is like a tree-trimming decision made at the *first glance* (e.g., "Cut all vines"). If you later realize some vines are harmless flowers, it’s too late—the cut was already made. Profile-based mode would re-evaluate as it inspects each branch.

(Key takeaway: Policy order is critical in this mode!)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded