Robin_Svanberg
Contributor

other-application-log ?

anyone that knows what the option other-application-log does?

 

"other-application-log Enable/disable logging of other applications"

 

Can´t find any documentation regarding it in the CLI reference and the helptext in the CLI doesn´t say that much, what is other applications? :)

 

 

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

 

robin.svanberg@ethersec.se

3 REPLIES 3
hmtay_FTNT
Staff
Staff

Hello Robin,

 

Think of it like an "else" in an "if-else" statement. For example:

 

edit "MicrosoftAppsAllowedOut"     set other-application-log enable     config entries         edit 1             set application 5771 23094 32003              set action pass             set log disable         next         edit 2             set category 2 3 5 6 7 8 12 15 17 19 22 23 25 28 29 30 31         next         edit 3             set category 21             set action pass             set log disable         next     end next

 

The entries in "config entries" are explicitly set to certain actions. Usually they cover only specific applications or categories that a user would like to have blocked or allowed. The rest of the signatures not specified in "config entries" have the value in "other-application-action" and "other-application-log". By default, "other-application-action" and "other-application-log" is set to pass and enable in FortiOS 5.4 and 5.6. 

 

Does that answer your question? Thanks!

HoMing

tanr
Valued Contributor II

@HoMing,

 

The documentation says other-application-action can be either block or pass.  Just to confirm, pass means the app will be allowed through, it does not mean fall through to the next matching security policy rule?  Or is there some way to do that?  Thanks.

hmtay_FTNT

Let's say you set only Facebook_Chat to Block and other-application-action to pass. When the Fortigate first sees a Facebook handshake session, Facebook would be selected and set to pass. The Fortigate will continue scanning the packets until it sees a Facebook Chat packet and then it will drop the session under Facebook_Chat.

 

Setting other-application-action to pass does not mean on the first match, if the action is pass, the engine stops scanning it. If in the first packet, Facebook triggered and is set to pass, another rule can trigger on the same session later and drop the session if the signature is set to Block.

 

Does this answer your question?