Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spathak
Staff
Staff

Created on ‎09-24-2019 01:32 AM Edited on ‎08-15-2025 07:16 AM By Moderator

Article Id 198002

Technical Tip: Configure Application override

Description


This article explains how to use the Application override.
Its features are the control of specific application traffic and looking to exempt/switch action of any specific application from the defined application category action.

 

Scope

 

FortiGate, all application control signatures.

Solution


If it is required to control the flow of traffic from a specific application, traffic generally by the source or destination address, or by the port, may not be sufficient to precisely define the traffic.
To address this problem, the application control feature examines the traffic itself for signatures unique to the application generating it.

Steps for enabling Application override :

GUI steps:
Go to: Security Profiles  -> Application Control -> Application Overrides.

 
Select 'Add Signatures' to add the specific Application.
Select 'Add Filter' to filter the application.
 
For newer versions after v7.x.x Application Filter looks like below:
 

application overrirdeoption.PNG

 

Select 'Create New' to add the specific Application.

It is possible to filter the application via Behavior, Category, Language, Name, Popularity, Protocol, Risk, Technology and Vendor (the best option will be Name):
 
 
Set the filter to 'name' (as in the example), and enter the specific application name.
Select the required signatures by selecting 'Use Selected Signatures'.
 
 
To select them, either right-click on the application name and select the 'Add Selected' button, or select the application and select the 'Add Selected' button.
 
addselected.PNG

 

The selected applications are available in the list.
Set the action:
 
 
Select 'Apply':
Add the same Application profile to the required IPv4 policy.
 
firewallpolicy.PNG

 

This can be Verified from the Application log as well. To check the path, go to Log & Report -> Security Events -> Application Control.
 
blockfblog.PNG

 

 

To configure overrides from CLI follow the below :

 

config application list
    edit <name>
        config entries
            edit <id>
                set protocols all          <-------------  Default all, 0-47.
                set risk all                  <------------- Default all, 1 (low) - 5 (critical).
                set vendor all             <-------------  Default all, 0-25.
                set technology all       <-------------  Default all, 0 - 4.
                set behavior all          <-------------  Default all, 2 or 3 or 5, or 6.
                set popularity 1 2 3  4 5                   <-------------  Default 1 2 3  4 5, from least popular.
                set action {pass | block | reset}
                set quarantine {none | attacker}
                set log {enable | disable}
            next
        end
    next
end

 

Note:
Some AppCTRL signatures might require SSL Deep Inspection (DPI) enabled, and, with a simple certificate inspection, the configuration would not work. Check if a particular signature requires DPI on the FortiGuard webpage by searching for the specific AppCTRL Signature.

 
 

AppCTRL.PNG

15126
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.