Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
darre
New Contributor

Created on ‎10-03-2024 12:18 AM

App ctrl - Block applications detected on non-default ports

Hi,

I have configured an Application Control profile and applied on a firewall policy. The application control profile have "block applications detected on non-default ports" enabled. However, when I run Telnet on other ports than 23 the traffic is allowed and it's also detected as application Telnet according to the logs on FortiGate.
I have verified that the traffic is hitting the correct firewall policy.

I am running FortiOS 7.4.5.

Please see my configuration on attached pictures.
What am I doing wrong? Shouldn't this traffic be blocked?

image.pngimage.pngimage.png



Labels:
631
0 Kudos
6 REPLIES 6
kmohan
Staff
Staff

Created on ‎10-03-2024 12:48 AM

Hi darre,

Application Filter>>You have create with Telnet with Action Monitor, and this Telnet is relate Remote access category.

If you set action as Monitor, it will by pass traffic from the FGT, it will not block.

 

Only, if set action as block, then it will deny the traffic from the FGT.

Karthick
618
0 Kudos
darre
New Contributor
In response to kmohan

Created on ‎10-03-2024 01:18 AM

I am not trying to block the entire application, I want to block applications running on non-default port. In this case, Telnet default port is TCP/23 and should be blocked when running on TCP/3005. 

This configuration should block non-default ports even for applications that are set to monitor/allow. 

dds.png

On the Telnet Application signature it says default port is TCP/23, FortiGate clearly detects this application as Telnet(see log picture attached earlier) and the port is TCP/3005 so I don't understand why traffic is allowed.

Thank you.

591
0 Kudos
pminarik
Staff
Staff
In response to darre

Created on ‎10-03-2024 02:44 AM

How many packets do you pass through, and with what content? (check a pcap)

Telnet can sometimes be tricky to properly identify, given that it can be as little as "just some plaintext sent back and forth". (e.g. recall that you can use telnet client to manually emulate a HTTP client sending a GET request to a browser)

[ corrections always welcome ]
562
0 Kudos
VictorSB
New Contributor

Created on ‎11-13-2024 12:12 PM

I had the same issue with Telnet testing over port 443 - Traffic explictly identified application telnet and some times as "Web Browser" - and none of them were blocked.

 

Did you find any answer about this topic?

113
0 Kudos
pminarik
Staff
Staff
In response to VictorSB

Created on ‎11-14-2024 09:14 AM

Telnet is potentially extremely generic. Depending on the exact implementation, it may just generate a TCP handshake, with no data unless you start typing something in. And if you do, the detection will depend on what exactly you're pushing through the session.

 

This will absolutely need an analysis of a pcap of the traffic session.

[ corrections always welcome ]
86
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.