| Description | This article describes why an error indicating an application signature is incompatible with NGFW Policy mode may appear on FortiGate when trying to add certain applications to the Firewall Security Policy. |
| Scope | FortiGate v6.4.10 and above. |
| Solution |
When adding some applications to the firewall security-policy, the following error may occur:
Examples of large scan-range applications include:
When attempting to add the signature manually in CLI, the following error is displayed:
FortiGate-A # config firewall security-policy FortiGate-A (security-policy) # edit 100999 FortiGate-A (100999) # set application 43322 Application 43322 is incompatible with NGFW Policy mode due to large scan-range detection requirements
In NGFW policy-based mode, the first 4096 bytes of data are scanned before the IPS engine must make a final verdict regarding detected application. The signatures of approximately 20% of applications exceed this ngfw-max-scan-range limit and cannot be identified when operating in this mode. In v6.4.10 and later, a check is added preventing these incompatible signatures from being configured.
The maximum scan range value is visible under 'config ips global', however this value cannot be changed.
show full-configuration ips global | grep ngfw-max-scan-range
Large scan-range application signatures can no longer be selected in the security-policy configuration GUI as of FortiOS v7.0.x. For example, note Gmail_Personal no longer appears as an option in the screenshot below.
To enable detection of large scan-range signatures, use profile-based NGFW mode. Note that changing NGFW mode removes configured policies and should not be done in production, see FortiOS v7.4.8 Administration Guide: NGFW policy.
The signatures for each application are stored in the Application Control signatures database. If some applications were available previously but can no longer be configured on an NGFW security-policy, the signature size may have changed as a result of the update. |
