FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that the application control detects the application type, but does not block it if the FQDN is in the exempt list of the deep inspection profile.
Scope
FortiOS.
Solution
If an FQDN (for example sls.update.microsoft.com) used by an application (Windows Update) is included in the exempt list of the deep inspection profile, that application will not be blocked by the Application Control Profile, even though it will be identified properly.
The reason behind it is the fact that the Exempt list in the deep inspection profile has more priority compared to the Block/Reset action of the Application Control.
Therefore if an application has to be blocked, the relevant FQDNs have to be removed from the exempt list of the deep inspection profile.
