Technical Tip: How to apply and validate a custom application signature in FortiGate

akileshc · ‎03-02-2022

Description

This article describes how to apply and validate an application custom signature in FortiGate.

Scope

Granular control can be achieved by blocking, monitoring, accepting, or quarantining packets that match the signature.

Solution

Custom application signatures help to recognize particular sorts of packets as they pass through the FortiGate,

and this custom signature may be applied to an application control sensor once built.

It is possible to configure the sensor to block, monitor, allow, or quarantine packets that match the signature.

After that, the sensor can be added to a firewall policy.

When a packet with the custom signature is recognized by the firewall policy,

the FortiGate does the action defined with the packet.

Use the following CLI commands to add the custom signatures.

For example:

config application custom
edit "FastLemon.VPN.ProH.Set.Custom"
set signature "F-SBID( --name \"FastLemon.VPN.ProH.Set.Custom\"; --protocol tcp; --flow from_client; --dst_port 29914; --seq =,1,relative; --data_size >144; --data_size <293; --pattern !\"|16 03|\"; --context packet; --within 2,context; --pattern !\"|17 03|\"; --context packet; --within 2,context; --pattern !\"|00 00|\"; --context packet; --tag set,Tag.xvpn.ProH.TCP.Set; --app_cat 6; --weight 15; )"
next

end

View Customer Signature Using the GUI:

For more information:

See the documentation on Creating IPS and application control signatures here.

Note that the Fortinet Technical Support department does not offer technical assistance in customizing application control signatures.

Details about what is and is not supported by Fortinet TAC support in support tickets can be found here:

Technical support on customization on various Fortinet products.