Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msolanki
Staff
Staff

Created on ‎03-24-2023 10:14 AM Edited on ‎09-07-2025 10:44 PM By Staff

Article Id 250239

Technical Tip: Application control profile traffic behavior in proxy mode policy

Description

This article explains how traffic flow works and when the firewall policy is configured in proxy mode with an application profile.
Scope FortiGate.
Solution

When the FortiGate policy is configured in proxy mode with an application control profile to detect/allow/deny specific application traffic, proxy deep inspection with the application filter works by sending the traffic to the IPS engine.

 

The IPS engine then performs application matching and, if the traffic passes, it is forwarded to the WAD which performs SSL decryption (deep-inspection). The plain text application data is sent back to the IPS engine to perform another application matching step on ActiveSync.

 

Traffic --> IPS --> WAD --> IPS (Application ActiveSync).

 

If the application traffic is HTTPS.BROWSER based and not allowed in application control, the IPS engine inspects it and drops it before it has to be forwarded to the WAD to be decrypted. As a result, the traffic cannot be matched with the plain text app signature (ActiveSync).

 

Note:

The application control signature for HTTPS.BROWSER has been deprecated and removed as of Application Definitions database version 34.00076. The SSL or TLS version signatures can be used instead.

 

traffic --> IPS --> X (SSL BLOCKED).

 

V7.0.6 onwards allows the HTTPS/SSL traffic to pass to the WAD to perform the SSL deep inspection, and the IPS engine can match the decrypted plain text data on app traffic (ActiveSync).

 

Below is an example of ActiveSync traffic for an Exchange over HTTPS:

 

# policy

edit XX

set name "Test_app"

set uuid 40d368c0-941b-51e9-42cb-e78482ce71e7

set srcintf "wan1"

set dstintf "DMZ"

set action accept

set srcaddr "all"

set dstaddr "x.x.x.x - y.y.y.y"

set schedule "always"

set service "HTTPS"

set utm-status enable

set inspection-mode proxy

set ssl-ssh-profile "deep-inspection-public"

set ips-sensor "protect_http_server"

set application-list "activesync_only"

 

The app control profile is as follows:

 

# edit "SOM-APP- activesync_only"

set comment "Erlaubt nur MS Active Sync - App-Filter fuer Exchange server"

set other-application-log enable

set unknown-application-action block

set unknown-application-log enable

config entries

edit 1

set application 26886

set action pass

next

edit 2

set application 15895 <-- Allow SSL

set action pass

next

edit 3

set category 2 3 5 6 7 8 12 15 17 21 22 23 25 26 28 29 30 31 32

next

end

end
4379
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.