Description |
This article explains how traffic flow works and when the firewall policy is configured in proxy mode with an application profile . |
Scope | Any supported version of FortiGate. |
Solution |
When the FortiGate firewall policy is configured in proxy mode with an application control profile to detect/allow/deny specific application traffic, proxy deep inspection with the application filter works by sending the traffic to the IPS engine. The IPS engine then performs application matching and, if the traffic passes, it is forwarded to the WAD which performs SSL decryption (deep-inspection). The plain text application data is sent back to the IPS engine to perform another application matching step on ActiveSync.
Traffic --> IPS --> WAD --> IPS (Application ActiveSync)
If the application traffic is HTTPS.BROWSER based and not allowed in application control, the IPS engine inspects it and drops it before it has to be forwarded to the WAD to be decrypted. As a result, the traffic cannot be matched with the plain text app signature (ActiveSync).
traffic --> IPS --> X (SSL BLOCKED)
FortiOS 7.0.6 onwards allows the HTTPS/SSL traffic to pass to the WAD to perform the SSL deep inspection, and the IPS engine can match the decrypted plain text data on app traffic (ActiveSync).
Below is example of ActiveSync traffic for an exchange over HTTPS:
# policy edit XX set name "Test_app" set uuid 40d368c0-941b-51e9-42cb-e78482ce71e7 set srcintf "wan1" set dstintf "DMZ" set action accept set srcaddr "all" set dstaddr "x.x.x.x - y.y.y.y" set schedule "always" set service "HTTPS" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection-public" set ips-sensor "protect_http_server" set application-list "activesync_only"
The app control profile is as follows:
# edit "SOM-APP- activesync_only" set comment "Erlaubt nur MS Active Sync - App-Filter fuer Exchange server" set other-application-log enable set unknown-application-action block set unknown-application-log enable config entries edit 1 set application 26886 set action pass next edit 2 set application 40568 <-- Allow HTTPS.BROWSER set action pass next edit 3 set category 2 3 5 6 7 8 12 17 21 22 23 25 26 28 29 30 31 32 (category 15, which is for network services, is removed) next end end
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.