Need Help with Custom Application Signature for NagiosXI NCPA Agent port

Question

We have deployed NagiosXI for monitoring and our server team is trying to use the Nagios Agent (NCPA) to monitor a domain controller. We have app control configured on the firewall policy for accessing the domain controllers blocking everything except what is permitted through Application and Filter Overrides. NCPA, which uses TCP/5693, is being blocked by app control and the only thing I can think of is creating a custom application signature to add as an override. The problem is when I follow the documentation to create the custom signature the FortiGate just keeps returning an error. The config I entered is listed below, any suggestions would be appreciated.

FortiOS 7.4.7

# conf application custom

(custom) # edit "NagiosXI_5693"
new entry 'NagiosXI_5693' added

(NagiosXI_5693) # set protocol TCP

(NagiosXI_5693) # set signature "F-SBID( --name \"NagiosXI_5693\"; --protocol tcp; --dst-port 5693; )"

(NagiosXI_5693) # set category 15

(NagiosXI_5693) # next
load custom rule error
object set operator error, -2 discard the setting
Command fail. Return code 1

Yurisk · Answer

Hi, you cannot just specify the port - you have to specify a pattern inside packets to match, then optionally, you can add port. Have you looked at IPS Custom Signature creation https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-custom-IPS-signature-for-a/ta-p/207522 ?

On the other hand - if are OK with allowing ANY application using this specific port - you can create a rule above that allows this port w/o AppControl, but be aware it would allow any app to use this port to go put to the Internet.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded