Hi,
I have configured an Application Control profile and applied on a firewall policy. The application control profile have "block applications detected on non-default ports" enabled. However, when I run Telnet on other ports than 23 the traffic is allowed and it's also detected as application Telnet according to the logs on FortiGate.
I have verified that the traffic is hitting the correct firewall policy.
I am running FortiOS 7.4.5.
Please see my configuration on attached pictures.
What am I doing wrong? Shouldn't this traffic be blocked?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi darre,
Application Filter>>You have create with Telnet with Action Monitor, and this Telnet is relate Remote access category.
If you set action as Monitor, it will by pass traffic from the FGT, it will not block.
Only, if set action as block, then it will deny the traffic from the FGT.
I am not trying to block the entire application, I want to block applications running on non-default port. In this case, Telnet default port is TCP/23 and should be blocked when running on TCP/3005.
This configuration should block non-default ports even for applications that are set to monitor/allow.
On the Telnet Application signature it says default port is TCP/23, FortiGate clearly detects this application as Telnet(see log picture attached earlier) and the port is TCP/3005 so I don't understand why traffic is allowed.
Thank you.
How many packets do you pass through, and with what content? (check a pcap)
Telnet can sometimes be tricky to properly identify, given that it can be as little as "just some plaintext sent back and forth". (e.g. recall that you can use telnet client to manually emulate a HTTP client sending a GET request to a browser)
I had the same issue with Telnet testing over port 443 - Traffic explictly identified application telnet and some times as "Web Browser" - and none of them were blocked.
Did you find any answer about this topic?
Telnet is potentially extremely generic. Depending on the exact implementation, it may just generate a TCP handshake, with no data unless you start typing something in. And if you do, the detection will depend on what exactly you're pushing through the session.
This will absolutely need an analysis of a pcap of the traffic session.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.