Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
darre
New Contributor

App ctrl - Block applications detected on non-default ports

Hi,

I have configured an Application Control profile and applied on a firewall policy. The application control profile have "block applications detected on non-default ports" enabled. However, when I run Telnet on other ports than 23 the traffic is allowed and it's also detected as application Telnet according to the logs on FortiGate.
I have verified that the traffic is hitting the correct firewall policy.

I am running FortiOS 7.4.5.

Please see my configuration on attached pictures.
What am I doing wrong? Shouldn't this traffic be blocked?

image.pngimage.pngimage.png



6 REPLIES 6
kmohan
Staff
Staff

Hi darre,

Application Filter>>You have create with Telnet with Action Monitor, and this Telnet is relate Remote access category.

If you set action as Monitor, it will by pass traffic from the FGT, it will not block.

 

Only, if set action as block, then it will deny the traffic from the FGT.

Karthick
darre
New Contributor

I am not trying to block the entire application, I want to block applications running on non-default port. In this case, Telnet default port is TCP/23 and should be blocked when running on TCP/3005. 

This configuration should block non-default ports even for applications that are set to monitor/allow. 

dds.png

On the Telnet Application signature it says default port is TCP/23, FortiGate clearly detects this application as Telnet(see log picture attached earlier) and the port is TCP/3005 so I don't understand why traffic is allowed.

Thank you.

pminarik

How many packets do you pass through, and with what content? (check a pcap)

Telnet can sometimes be tricky to properly identify, given that it can be as little as "just some plaintext sent back and forth". (e.g. recall that you can use telnet client to manually emulate a HTTP client sending a GET request to a browser)

[ corrections always welcome ]
VictorSB
New Contributor

I had the same issue with Telnet testing over port 443 - Traffic explictly identified application telnet and some times as "Web Browser" - and none of them were blocked.

 

Did you find any answer about this topic?

pminarik

Telnet is potentially extremely generic. Depending on the exact implementation, it may just generate a TCP handshake, with no data unless you start typing something in. And if you do, the detection will depend on what exactly you're pushing through the session.

 

This will absolutely need an analysis of a pcap of the traffic session.

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors