FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff
Article Id 205867
Description
This article describes how to apply and validate an application custom signature in FortiGate.

Scope Granular control can be achieved by blocking, monitoring, accepting, or quarantining packets that match the signature.
Solution
Custom application signatures help to recognize particular sorts of packets as they pass through the FortiGate, 
and this custom signature may be applied to an application control sensor once built.
 
It is possible to configure the sensor to block, monitor, allow, or quarantine packets that match the signature. 
After that, the sensor can be added to a firewall policy. 
 
When a packet with the custom signature is recognized by the firewall policy, 
the FortiGate does the action defined with the packet.

Use the following CLI commands to add the custom signatures.

 

For example:


config application custom
    edit "FastLemon.VPN.ProH.Set.Custom"
       set signature "F-SBID( --name \"FastLemon.VPN.ProH.Set.Custom\"; --protocol tcp; --flow from_client; --dst_port 29914; --seq =,1,relative; --data_size >144; --data_size <293; --pattern !\"|16 03|\"; --context packet; --within 2,context; --pattern !\"|17 03|\"; --context packet; --within 2,context; --pattern !\"|00 00|\"; --context packet; --tag set,Tag.xvpn.ProH.TCP.Set; --app_cat 6; --weight 15; )"
   next

end

 

View Customer Signature Using the GUI:

 

akileshc_1-1646210012383.png

For more information:

See the documentation on Creating IPS and application control signatures here. 

 

Note that the Fortinet Technical Support department does not offer technical assistance in customizing application control signatures.

 

Details about what is and is not supported by Fortinet TAC support in support tickets can be found here:

Technical support on customization on various Fortinet products.