Skip to main content
cornmw
cornmw
Visitor III
November 4, 2025
Question

How to match a specific application only without allowing or denying other applications?

  • November 4, 2025
  • 2 replies
  • 465 views

I am trying to figure out a way to allow "msrpc" application to a server using application control.  It looks like in order for it to work I need to create a policy to allow any service and apply an application control profile. Because service is set to allow any I guess I will have to block all applications in application control profile and only add an exception to allow "msrpc".  For this reason this rule has to be put at a place close to the bottom of the policy list so it won't block services or applications I want to allow.  This seems to be working but it just does not seem to be ideal.  In Palo Alto firewall I can just set up a rule to match the specific application only so other type of traffic will not match this rule, therefore neither be allowed or denied.  I am wondering what is the best practice in Fortigate in this scenario? 

2 replies

AEK
SuperUser
AEK
SuperUser
November 5, 2025

To enable PAN-like mode you need to switch your FW to policy based mode. But be careful all your rules will be wiped if you switch it.

AEK
cornmw
cornmwAuthor
Visitor III
November 7, 2025

Thanks AEK. Unfortunately our firewall is in profile based mode and can not change that. In this scenario is the method I used is acceptable?  or there is better way to do it?

AEK
SuperUser
AEK
SuperUser
November 8, 2025

Yes you can do it by specifying only the "msrpc" in the service field.

By doing this the app profile you use will not have any impact on any other app that is using a destination port other than msrpc's.

AEK
Terms & ConditionsAccessibility statement