FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kraven2323
Staff
Staff
Article Id 226281
Description This article describes why errors indicating incompatibility with an NGFW Policy mode appear on FortiGate in NGFW policy-based mode when trying to add certain applications to the firewall policy on version 6.4.10.
Scope FortiGate v6.4.10.
Solution

When adding some applications to the firewall policy, the following error may occur:

 

Kraven2323_0-1665472134107.png

 

Examples of trying to add large scan-range applications include:

 

'Gmail_Personal'.

 

Kraven2323_1-1665472253067.png

 

  • This cannot be added to the firewall policy.
  • This is an expected behavior when it comes to NGFW policy-based setup.
  • The signatures of 20% of applications exceed the limit of 4K bytes of data.
  • The 4K limitation represents the maximum number of bytes that will be allowed through the policy before IPS declares that the signature does not match.

This large scan-range application is removed in the 7.0.x version and later as per the screenshot below:

 

Kraven2323_2-1665472363195.png

 

  • One way to make FortiGate accept this behavior is to use a Custom Application Group.
  • The IPS is not visible in the groups at the time of configuration, which can affect what is allowed to be configured in the first place.
  • If some applications were able to be configured previously but then suddenly cannot be configured, this means there was an update to the Application Signatures and the signature for the specific Application increased over the limit.