FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff
Description
This article describes how to apply and validate an application custom signature in FortiGate.

Scope Granular control can be achieved by blocking, monitoring, accepting, or quarantining packets that match the signature.
Solution
Custom application signatures help to recognize particular sorts of packets as they pass through the FortiGate, 
and this custom signature may be applied to an application control sensor once built.
 
It is possible to configure the sensor to block, monitor, allow, or quarantine packets that match the signature. 
After that, the sensor can be added to a firewall policy. 
 
When a packet with the custom signature is recognized by the firewall policy, 
the FortiGate does the action defined with the packet.

Use the following CLI commands to add the custom signatures.

 

For example:


# config application custom
   # edit "FastLemon.VPN.ProH.Set.Custom"
       # set signature "F-SBID( --name \"FastLemon.VPN.ProH.Set.Custom\"; --protocol tcp; --flow from_client; --dst_port 29914; --seq =,1,relative; --data_size >144; --data_size <293; --pattern !\"|16 03|\"; --context packet; --within 2,context; --pattern !\"|17 03|\"; --context packet; --within 2,context; --pattern !\"|00 00|\"; --context packet; --tag set,Tag.xvpn.ProH.TCP.Set; --app_cat 6; --weight 15; )"
   # next

# end

 

View Customer Signature Using the GUI:

 

akileshc_1-1646210012383.png

If the custom signature is not recognized by the firewall policy after applying it, gather the output of the following commands and create a support ticket.

 

SSH:

 

# diagnose ips filter set "host x.x.x.x" <----- Replace x.x.x.x with the IP address of the client unit.
# diagnose ips debug enable all
# diagnose debug enable

 

Once enough traffic is captured, enter the following CLI commands to stop the debug log capture:

 

# diagnose debug disable
# diagnose ips debug disable all

Contributors