- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Application Policy Blocking
Hello,
we're in the process of planning/implementing application policies and having a hard time understanding matching criteria and how a profile entry behaves with an application policy defined.
Looking at a profile based policy and using DNS as an example, I could create an app policy with the block action set for DNS related application signatures and associate that to the LAN -> WAN policy entry which would then block devices in the LAN zone from reaching DNS servers in the public cloud.
Is what I don't understand is what happens when you need to apply multiple policies? Say I need to block the entire LAN zone from using public DNS but then wanted to block TeamViewer for a specific network inside the LAN zone. The traffic would process down the list and match the first profile entry (Lets say that's the TeamViewer blocking entry) carrying a DNS payload and that policy isn't going to match application and then allow the traffic out to the internet and it wouldn't even proceed to that second policy entry, so DNS wouldn't be blocked right?
Assuming that's correct - is switching from profile to policy based the only way to factor application into the matching criteria so we could run sequential application based rules? We've been avoiding policy based firewall mode due to feedback we've received both from Fortinet support and some other people we've spoken with across the industry so wanted to open this thread and see if there's something simple we're missing.
- Labels:
-
Application control
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello HANDL_Eric,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @HANDL_Eric ,
The understanding is correct. The firewall will match the 5 tuple entry and then look at the UTM part of the policy. Having said that, you could have multiple application signatures within one profile.
For instance, if you have the TeamViewer policy at the top (as it is a specific network), you could add DNS block also to the same profile. That way, all the LAN users in specific network will be blocked from both TeamViewer and DNS using the same policy. And then you can configure the DNS block policy which is for the wider LAN users.
Does this solution work for you using the profile based policies?
Manoj Papisetty
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sort of, but in our environment we always keep policy entries 1:1 (per flow) which wouldn't work here since the traffic would be dropped as no-match on the first WAN policy entry and never be passed down to the 2nd.