FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to leverage FortiGate's NGFW firewall capabilities to inspect the application layer or payload of a packet and block usage of Google applications using application signatures.
Scope
FortiGate.
Solution
Google Drive vs Google Docs:
The difference between the two applications is the application signature and category for each at FortiGuard Labs:
Google.Drive_File.upload (Application ID 32122) is listed under the 'Storage' category for online storage of files.
Google.Docs_File.Upload (Application ID 23756) is under the 'Collaboration' category for which includes tools such as remote meeting tools. Google.Docs_File.Upload is under Application Signature Google.Docs (Application ID 16541).
Blocking the applications based on signatures:
Create or use one of the default application control profiles under: Security profiles -> Application Control.
Notice that both the Storage and Collaboration categories are set to the 'Monitor' action.
At the Application and Filter Overrides table, select 'Create New'.
In the new window, keep the Application tab selected and search for both applications.
Select both applications, then 'right-click' on any of them and select the option 'Selected'.
Keep the action set to Block and save by selecting OK, then hit the OK button again on the original profile window to save all changes.
Go to Policy&Objects -> Firewall Policy and create the firewall policy to allow users to access to internet with the necessary config, such as NAT. Make sure to enable Application Control and select the profile that the application override for both Google applications was added to.
Enable the SSL inspection profile and select Deep Packet Inspection. Make sure to enable logging for All Sessions, although this is not a necessary step, since once traffic is blocked by the security profile, it will show up on security logs. Save the changes by selecting the OK button. Note: Not all applications require Deep Inspection; refer to this article: Technical Tip: How to check which application requires deep SSL inspection under Application Control for more information.
It may be necessary to install the Fortinet factory certificate on the SSL inspection profile. Otherwise, all browser activity will have a certificate warning due to the non-trusted certificate installed on the Deep Packet Inspection profile.
Test the traffic by accessing Google Docs or Google Drive websites, and the result should bea redirection to an application control block page.
CLI example:
config firewall policy
edit 3
set name "internet" set uuid 074934c6-2526-51ef-19e0-5c2e135a5b11 set srcintf "port1" set dstintf "port2" set action accept set srcaddr "10.10.1.0-net" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "deep-inspection" set ips-sensor "default" set application-list "default" set logtraffic all set nat enable
