Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pmh
New Contributor III

End sessions based on application

Hi there, 

 

We are struggling with a high amount of outgoing sessions on one of our sites. Have discovered that ending all sessions by filtering them in fortiview sessions - and ending all sessions more or less fixes our problem. 

 forti-sessions-end.PNG

 

We are actively blocking iCloud (and the other sessions we need to end) under Application control, but still they pop up here and apparently causing problems for our ISP who cannot handle all these sessions as we are on a very low bandwidth connection.

 

First question: Why isn't our application control policy stopping these sessions, and is it possible to do what I am doing here - filter by application and end all sessions - via cli?

 

-PM

16 REPLIES 16
Anthony_E
Community Manager
Community Manager

Hello PM,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello PM,

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
gfleming
Staff
Staff

That looks like a single device causing all of those connections. Are you sure it's not a faulty device? Have you tried disconnecting the device from your network and seeing if the connections stop?

Cheers,
Graham
pmh
New Contributor III

Hi Graham, 

 

The list goes on and on with additional devices (apple iphones) so it's not just one device.

 

What I have done is create a firewall rule that blocks all icloud ip's, and we have informed all users at the location to disable automatic icloud uploads - and that's working good but my question remains: why aren't these sessions blocked via our application control policy that is set to block the application icloud, and as this is clearly possible to do in the gui, can it be done in cli?

gfleming

Some Application Control signatures require SSL Deep Inspection (they will have a padlock icon next to them in the signatures list). This could be why.

 

More importantly though I think you need to understand why your Apple devices seemingly aren't able to connect properly to iCloud. They seem to initiate a connection/session and that fails for some reason and then they initiate a new connection/session which fails again and continues to do so creating lots of open/half-open sessions. Each session only has 2-4 packets which tells me there's something going on at the TCP layer.

 

Can you do a packet capture and see what it shows?

Cheers,
Graham
Sam_FTNT
Staff
Staff

The simplest way to end the sessions you see is to shift-select them all and then click End Session - End All Sessions will terminate all sessions regardless of the list (or so it seems).

 

If you want to block Apple I would recommend try to block using ISDB. This will block the sessions at L3/L4 before they egress your ISP.

 

config firewall policy
edit 0
set status disable
set name "Block All Apple Internet Services"
set uuid 035a9918-d5a9-51ed-9d57-ff6308a71c81
set srcintf "LAN"
set dstintf "WAN"
set action accept
set srcaddr "all"
set internet-service enable
set internet-service-name "Apple-APNs" "Apple-App.Store" "Apple-DNS" "Apple-FTP" "Apple-ICMP" "Apple-Inbound_Email" "Apple-LDAP" "Apple-NetBIOS.Name.Service" "Apple-NetBIOS.Session.Service" "Apple-NTP" "Apple-Other" "Apple-Outbound_Email" "Apple-RTMP" "Apple-SSH" "Apple-Web"
set schedule "always"
set nat enable
next

NSE8#3306
pmh
New Contributor III


@Sam_FTNT wrote:

The simplest way to end the sessions you see is to shift-select them all and then click End Session - End All Sessions will terminate all sessions regardless of the list (or so it seems).

 

Yes, I agree with that and this is what I explained that I did in my initial post, but the question was if this could be done from cli and why my application policy that is set to block iCloud service is not stopping it before it tries to access internet. 

 

 

 

If you want to block Apple I would recommend try to block using ISDB. This will block the sessions at L3/L4 before they egress your ISP.

 

config firewall policy
edit 0
set status disable
set name "Block All Apple Internet Services"
set uuid 035a9918-d5a9-51ed-9d57-ff6308a71c81
set srcintf "LAN"
set dstintf "WAN"
set action accept
set srcaddr "all"
set internet-service enable
set internet-service-name "Apple-APNs" "Apple-App.Store" "Apple-DNS" "Apple-FTP" "Apple-ICMP" "Apple-Inbound_Email" "Apple-LDAP" "Apple-NetBIOS.Name.Service" "Apple-NetBIOS.Session.Service" "Apple-NTP" "Apple-Other" "Apple-Outbound_Email" "Apple-RTMP" "Apple-SSH" "Apple-Web"
set schedule "always"
set nat enable
next


I do not wish to stop all Apple services, just the iCloud sessions that for some reason is killing the network on these locations - and I have been able to do so by isolating all iCloud IP addresses and blocking them in a firewall policy rule. 

 

If there was a internet-service just for iCloud service, your above suggestion would work fine (except you are allowing it in your rule) but there is no internet-service that only includes iCloud as far as I can tell. 

 

-PM

Sam_FTNT

Apologies- yes you can clear sessions with cli and create filters to clear much more precisely; https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-clear-sessions-on-a-Forti...

 

if you do not specify a filter Diag sys session clear will clear all sessions.

there doesn’t seem to be an isolated category for iCloud on ISDB. I will reach out to the ISDB team to see what can be done. 

thanks for your patience. 

NSE8#3306
pmh
New Contributor III

Hi, 

 

Yes, I know that I can clear sessions in cli, but I cannot see how I can clear sessions based on "application" as I can in the gui. The only way I can see would then be to isolate all IP address from GUI and use them in my filter. Not an optimal solution imo. 

Top Kudoed Authors