Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vladimircze
New Contributor III

How to make policy which would be triggered for one applicaiton

Hello,

 

I have one problem, and I do not understand how to solve it:

I have to create one policy (IPv4) with application control. This policy must be triggered by single application.

For example: By this policy I would like to control YouTube traffic.  allow some AD group to visit youtube pages.

Another rule would be do same for Facebook, for twitter, etc.

 

how I can implement granular application control?

 

I can allow, block, or monitor applications. but I would like to use one application - (for example YouTube family).

Any ideas? May be I have to use completely different way?

PS: FGT100D, with active contract. No explicit proxy.

 

Update: forgot to mention: latest firmware for today, v5.2.2,build642 (GA)

 

Just example, what I speaking about - application control. I do not like to check or monitor categories. I would like to allow youtube only, nothing more.

 

[broken image deleted]

1 Solution
iJake
Contributor

Yes, but unfortunately it doesn't work like this.

For users in multiple groups, it will apply the first relevant rule. The best thing to do where multiple groups for a user exist, is to put the preferred rule w/ application control above the others (normally this is a more permissive profile, as it's often the IT department that are in multiple groups).

 

Hope this helps.

......

-Jake

View solution in original post

...... -Jake
9 REPLIES 9
iJake
Contributor

The way to do this is to have an individual profile for each AD usergroup, which would contain all the applications you want to control for that usergroup.

 

You can't create a profile for each individual app and apply multiple profiles to one rule.

......

-Jake

...... -Jake
vladimircze
New Contributor III

iJake wrote:

The way to do this is to have an individual profile for each AD usergroup, which would contain all the applications you want to control for that usergroup.

 

You can't create a profile for each individual app and apply multiple profiles to one rule.

Hi, thanks,

 

I understand AD groups and we are using this (FSSO Agents on AD servers).

but my question was, how to create policy rule that would match next criteria:

1. User in group "allowed_youtube" or "social_media"

2. Application "youtube"

3. Action  "allowed"

 

if #1 nor #2 not matched - go next rule and check.

for example next rule would be:

1. User in group "allowed_twitter" or "social_media"

2. Application "twitter"

3. Action  "allowed"

 etc.

 

easy, from 1st point of view.

But "how" - not clear for me.

iJake
Contributor

You can't have 10 profiles and apply them to one usergroup within 1 rule, because the traffic matches a rule and the action is applied, it won't go any further down.

 

But to create a single profile with multiple signatures in it, you go to:

 

Security Profile > Application Control > Select/Create Profile > Application Overrides > Add Signatures

 

From there you can select individual signatures for the applications you want to control, though I suspect you already know how to do this.

 

You would have to select all signatures under this one profile and apply this one profile to the relevant usergroup.

......

-Jake

...... -Jake
Dave_Hall
Honored Contributor

None of our Fortigates are on 5.2, but reviewing the patch notes for 5.2.0 (page 13 to 16), it outlines the changes to the identity-based firewall policies from 5.0 to 5.2 (indicated below) and then goes on to provide examples on how to use this new "Implicit fall-through" features for user authentication polices.

 

Haven't checked, but I am going to assume the 5.2 FortiGate Cookbook website (or 5.2 cookbook pdf) will have examples on how to use this "Implicit fall-through" user authentication polices.

 

   

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
iJake
Contributor

That's useful information, but I'm not sure that's what the OP wants.

 

From what I read, it sounds like he wants a specific application profile for youtube, and another for facebook, then he just wants to add those profiles to the rule relating to the usergroup.

......

-Jake

...... -Jake
Dave_Hall
Honored Contributor

vladimir's follow-up post seems to imply the testing of users (in a group) for different categories, in which case the "Implicit fall-through" authentication policies may be what he's after.

 

That said, I am also more use to grouping various app access/blocks in a single application senor and assigning that to a group in a firewall policy.  (I do not know if vladimir is aware that app sensors are executed from top/down, so he could easily craft sensors in a particular order.)

 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
iJake
Contributor

Yeah, that's top down and it will apply the relevant action to the matched traffic within the application profile.

 

My understanding of it is he is referring to the IPv4 policy within 5.2 - and he wants multiple rules for one usergroup, with one rule for each application. Something that would complicate management and I don't believe is possible in any case.

 

But yeah, the screenshot you attached compliments the instructions I wrote about (too lazy to make a screenshot :p) and is the way to implement control for multiple applications for 1 usergroup.

......

-Jake

...... -Jake
vladimircze
New Contributor III

iJake wrote:
My understanding of it is he is referring to the IPv4 policy within 5.2 - and he wants multiple rules for one usergroup, with one rule for each application.
Yeah, that is exactly what I mean - I would like in rule (if possible) - match all parameters - interfaces, from/to/user/device/group, service, time window and exact application. if all criterias matched - apply defined action.If no matched - go to next rule.

Easy and granular, isn't?

 

user can be member of more than one group. as I wrote before. for example: allow_facebook_read and allow_facebook_post

 

vladimir.

iJake
Contributor

Yes, but unfortunately it doesn't work like this.

For users in multiple groups, it will apply the first relevant rule. The best thing to do where multiple groups for a user exist, is to put the preferred rule w/ application control above the others (normally this is a more permissive profile, as it's often the IT department that are in multiple groups).

 

Hope this helps.

......

-Jake

...... -Jake
Labels
Top Kudoed Authors