FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article discusses Application Control configuration and is particularly relevant when upgrading from previous versions of FortiOS.
After migration of configuration to FortiOS 5.2 from older versions, it might be necessary to manually adjust the Application Control profile configuration in CLI.
In FortiOS 5.2, the Application Control list consists of multiple entries, and of those multiple entries each can contain a single AC signature, multiple AC signatures, a single AC signature group, or multiple AC signatures groups. Prior to FortiOS 5.2, Application control profile entry could consist of both AC signatures groups, and specific AC signatures.
An example prior to 5.2 would be:
config application list edit kb-example config entries edit 1 set category 1 set application 2 end end
FortiOS 5.2 no longer accepts both AC signatures and AC signatures groups in a single AC list entry.
However, during scripted configuration migration it is not possible to decide which type of entry should be given priority - whether signature group, or specific signature. This depends on the intended use of the AC profile, and has to be decided by the administrator.
In the case where both signature group and signature is used in a single FortiOS 5.2 AC list entry, priority will be given to the AC signature group, and the action configured for the group will take precedence over single signatures.
In case that combined configuration is used prior to migration, it is necessary to manually review CLI config of the AC list, and either remove the AC signature groups from configuration, or move them to separate entries.
An example in 5.2 would be:
config application list edit kb-example config entries edit 1 set category 1 set action pass next edit 2 set application 2 set action pass end end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.