DescriptionThis article discusses Application Control configuration and is particularly relevant when upgrading from previous versions of FortiOS.
After migration of configuration to FortiOS 5.2 from older versions, it might be necessary to manually adjust the Application Control profile configuration in CLI.
SolutionIn FortiOS 5.2, the Application Control list consists of multiple entries, and of those multiple entries each can contain a single AC signature, multiple AC signatures, a single AC signature group, or multiple AC signatures groups. Prior to FortiOS 5.2, Application control profile entry could consist of both AC signatures groups, and specific AC signatures.
An example prior to 5.2 would be:
config application list
edit kb-example
config entries
edit 1
set category 1
set application 2
end
end
FortiOS 5.2 no longer accepts both AC signatures and AC signatures groups in a single AC list entry.
However, during scripted configuration migration it is not possible to decide which type of entry should be given priority - whether signature group, or specific signature. This depends on the intended use of the AC profile, and has to be decided by the administrator.
In the case where both signature group and signature is used in a single FortiOS 5.2 AC list entry, priority will be given to the AC signature group, and the action configured for the group will take precedence over single signatures.
In case that combined configuration is used prior to migration, it is necessary to manually review CLI config of the AC list, and either remove the AC signature groups from configuration, or move them to separate entries.
An example in 5.2 would be:
config application list
edit kb-example
config entries
edit 1
set category 1
set action pass
next
edit 2
set application 2
set action pass
end
end
Related Articles
Technical Tip : how to list the applications or categories and their corresponding number (ID) when ...
