FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 225563


This article describes how to allow the user access to Skype for Business (Web access and Desktop application) when Application Control is applied to policy to block all internet access.


By only allowing Skype application signatures in Application Control will not be sufficient to allow access to Skype in an environment where Application Control has been configured to block all internet access.




FortiGate in Profile-mode, version 6.4.9 and above.




Skype for Business is an application owned by Microsoft, hence it is necessary to add a few Microsoft component signatures to fully allow Skype to be accessible in a 'block-all' environment.


Below are the steps to configure Application Control UTM profile to block all and only allow Skype:


1) Login to FortiGate GUI.

2) Select the 'Security Profiles' tab on the left-hand side of GUI and search for  'Application Control' tab:


Go to Security Profiles - > Application Control.




3) Select 'Create New' to create a new Application control profile.

4) Fill in the "Name" tab and select action to 'Block All Categories' in Categories section:

(This configuration is to block all access to all internet application signatures)


Screenshot 2022-10-05 094816.png


5) To only allow Skype access, it is necessary to add Skype application signature and a few Microsoft signatures in 'Application and Filter Overrides'.


Select 'Create New' to add Skype and Microsoft app signature:


Go to Application and Filter Overrides - > Create New.


Screenshot 2022-10-05 101428.png


6)  To add Skype application signature, set type as 'Application', search for Skype and select 'Add All Results':


Go to Type Application - > Action "Allow - >  Search 'Skype' - > Add All Results.


Screenshot 2022-10-05 105722.png


7) Now search for 'Microsoft.Portal', 'Microsoft.CDN' and 'Microsoft.Authentication' application signature that required by Skype.


Select 'Add All Results' after each search.


8) To verify all the list of added application signatures, select 'Selected' tab and make sure all the signatures below have been added.

Select 'OK' once confirmed.


Screenshot 2022-10-06 162703.png


9) Select 'OK' to save the configured Application Control profile.


Screenshot 2022-10-06 171733.png


How to apply the created Application control profile to firewall policy:


1) Select 'Policy & Objects' tab on your left-hand side, and select 'Firewall Policy':


Go to Policy & Objects - > Firewall Policy


Screenshot 2022-10-06 172403.png


2) Edit any policy that allows user to connect to internet and apply with the created Application control profile:


Go to Edit Policy (Internet Access) - > Security Profiles - > Action 'ACCEPT' - > Application Control - > Select 'Skype' profile - >  Select 'OK'.


Screenshot 2022-10-06 172644.png



Refer to below-related documents for a guide on configuring firewall policy.


Related article: