Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Totologie
New Contributor

Created on ‎04-21-2022 11:58 PM

Application Control - The applications are blocked and yet it works

Hello,

 

I actived application control on a FGT.

I lock all catergory : P2P and Proxy to limite VPN acces from my network.

But something I see that some acces still working :\

 

8.png

 

I searched in the logs I found that it was always followed to a google.push (+/- 2 or 3 sec after)

1-Flashget (P2P)
2-Amaze.VPN (Proxy)
3-Google.Push.Notification (General Interest)

Have you ever seen or seen this
Do you think the track is good ?
But why and how does it happen when it is supposed to be blocked

 

AB
AB
Labels:
11228
0 Kudos
3 REPLIES 3
tio3udes
New Contributor III

Created on ‎04-22-2022 09:46 AM

Hello @Totologie 

 

I see that the logs are from march 24th. Have you applied the block action then?

 

Also, check if the app control profile logged, is the one you setted up to block p2p and proxy. The log shows that is the default profile. Maybe the traffic is going through a policy that is different than the one you expect. Check the policy id on the log, then check if the applications are blocked on the app control that is on that firewall rule.

 

 

 

ti03udes
ti03udes
11138
0 Kudos
Totologie
New Contributor
In response to tio3udes

Created on ‎04-22-2022 10:07 AM

Hello,

 

It's an old screen shot, but the problem still persists
I know it's not clean but it is the default profile that has been custom.

I have just 1 policy rule that client can use to go

 

Capture d’écran 2022-04-22 à 18.58.01.png

 

When I look Policy ID is this one.

It seems that google x2 authentication is bypassing this restriction but I don't understand how :(

When I test p2p or other VPN (nordvpn or other) it's blocked, so restriction seems OK, but I detected this exception

 

In fact it's not realy a problem, but I want to understand :p

AB
AB
11136
0 Kudos
tio3udes
New Contributor III
In response to Totologie

Created on ‎04-22-2022 10:57 AM

@Totologiesometimes we see some packets accepted for connections from applications that should be blocked.

 

This happens because, fast as it is, stuff doenst happen at the same time.

 

First firewall checks 5 tupple information (src ip and ports, dst ip and ports, protocol)

Then, traffic is sent to the ipsengine to check if there's any application signatures. If so, there's a flacg change on the session and the traffic goes through the firewall rules again. If that application that was detected should be blocked, traffic is blocked. Maybe, thats what happenned there.

 

You can learn more about it here:

 

https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/p...

ti03udes
ti03udes
11131
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.