Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Totologie
New Contributor

Application Control - The applications are blocked and yet it works

Hello,

 

I actived application control on a FGT.

I lock all catergory : P2P and Proxy to limite VPN acces from my network.

But something I see that some acces still working :\

 

8.png

 

I searched in the logs I found that it was always followed to a google.push (+/- 2 or 3 sec after)

1-Flashget (P2P)
2-Amaze.VPN (Proxy)
3-Google.Push.Notification (General Interest)

Have you ever seen or seen this
Do you think the track is good ?
But why and how does it happen when it is supposed to be blocked

 

AB
AB
3 REPLIES 3
tio3udes
New Contributor III

Hello @Totologie 

 

I see that the logs are from march 24th. Have you applied the block action then?

 

Also, check if the app control profile logged, is the one you setted up to block p2p and proxy. The log shows that is the default profile. Maybe the traffic is going through a policy that is different than the one you expect. Check the policy id on the log, then check if the applications are blocked on the app control that is on that firewall rule.

 

 

 

ti03udes
ti03udes
Totologie

Hello,

 

It's an old screen shot, but the problem still persists
I know it's not clean but it is the default profile that has been custom.

I have just 1 policy rule that client can use to go

 

Capture d’écran 2022-04-22 à 18.58.01.png

 

When I look Policy ID is this one.

It seems that google x2 authentication is bypassing this restriction but I don't understand how :(

When I test p2p or other VPN (nordvpn or other) it's blocked, so restriction seems OK, but I detected this exception

 

In fact it's not realy a problem, but I want to understand :p

AB
AB
tio3udes
New Contributor III

@Totologiesometimes we see some packets accepted for connections from applications that should be blocked.

 

This happens because, fast as it is, stuff doenst happen at the same time.

 

First firewall checks 5 tupple information (src ip and ports, dst ip and ports, protocol)

Then, traffic is sent to the ipsengine to check if there's any application signatures. If so, there's a flacg change on the session and the traffic goes through the firewall rules again. If that application that was detected should be blocked, traffic is blocked. Maybe, thats what happenned there.

 

You can learn more about it here:

 

https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/p...

ti03udes
ti03udes
Labels
Top Kudoed Authors