I've tried to create an application control security profile for the DNS requests of our DNS Server, so that only application data of the type DNS (and ICMP/Ping) is allowed. The app profile looks like this:
When I did that, I saw in the logs that Google Translate was getting blocked. Here the log of the blocked connection attempt:
date=2023-08-30 time=10:34:34 id=7273030939687518227 itime="2023-08-30 10:34:35" euid=3 epid=101 dsteuid=3 dstepid=101 logver=700120523 type="utm" subtype="app-ctrl" level="warning" action="block" sessionid=369741986 policyid=546 srcip=*.*.*.* dstip=*.*.*.* srcport=63371 dstport=53 proto=17 logid=1059028705 service="DNS" eventtime=1693384475533113261 incidentserialno=81095000 direction="outgoing" apprisk="elevated" appid=24473 srcintfrole="lan" dstintfrole="wan" applist="app-dns" appcat="General.Interest" app="Google.Translate" eventtype="signature" srcintf="****" dstintf="****" msg="General.Interest: Google.Translate" tz="+0200" policytype="policy" srccountry="Reserved" dstcountry="****" poluuid="f2a4f656-3c3f-51ee-cc20-238d646cc18d" devid="****" vd="root" dtime="2023-08-30 10:34:34" itime_t=1693384475 devname="****"
I need help understanding why it behaves like that? I was under the impression that this configuration would only allow DNS requests, but not really look at the application that makes the request. These requests were also made by accessing Google Translate with the browser.
I've now added the applications that need DNS in the signatures, but still I don't get how this works. Can someone give me some insights?
Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Various apps have various signatures attached to them to help with detections. With Google.Translate it just so happens that one of the signatures works with DNS queries for Google Translate's FQDN. So while it looks strange ("Why is basic UDP/53 DNS traffic flagged as Google Translate?" is a perfectly valid question), in this specific case the result is expected.
Various apps have various signatures attached to them to help with detections. With Google.Translate it just so happens that one of the signatures works with DNS queries for Google Translate's FQDN. So while it looks strange ("Why is basic UDP/53 DNS traffic flagged as Google Translate?" is a perfectly valid question), in this specific case the result is expected.
Thank you for your reply. I've filtered the applications by protocol where DNS is used and added them to the allowed applications (some examples are Yahoo.Mail, Google.Hangouts and others). Is this enough or do other applications behave like Google Translate?
Well, everything that talks to a server with an FQDN will need to use DNS (a bit of a cheeky answer :)), but unfortunately I don't think there is a list of all application signatures that also include DNS traffic matching. I'm afraid you will need to add exceptions on a case-by-case basis.
Haha alright thank you. I'll observe if I see blocked requests in the logs and will update the profile on a case by case basis :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.