Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ching023
New Contributor II

Fortigate 100F allowing specific Android App to run but blocking everything else including Internet.

We have a specific VLAN setup for some Android Tablets to join, and we built some Android Apps that is hosting in AWS.

We would like to limit our Android Tablets to run the Apps that we built, but restricting them to access internet and other stuffs including software updates.

 

Is it possible?

Thanks,

5 REPLIES 5
AEK
SuperUser
SuperUser

If the apps are built by you then the app signature will not be recognized by FortiGate, or just will be recognized as SSL traffic for example.

So if you want to allow only this traffic, I think using application control will not help, but instead you may just filter by destination, like your AWS servers IP addresses or FQDN for example.

AEK
AEK
ching023
New Contributor II

Thanks for the Advice @AEK 
Just wo confirm, in the ForiGate portal, Policy & Opjects -> Firewall Policy.

Edit the policy that is for the specify VLAN to WAN, Destination?

Here right?

Screenshot 2024-07-09 at 10.26.50 AM.png

 

Thanks,

ching023
New Contributor II

By the way @AEK 
The Android App that we build is available in GooglePlay, it has a ID, but it shows Private as well.
Will this make any difference to use Application Control or still the same as it is a Private App?

Thanks,

AEK
SuperUser
SuperUser

Hello Ching

Yes you should edit that policy and set the target  AWS server(s) as destination. Bear in mind that there should be no other rule below it allowing other traffic from VLAN to WAN.

 

Regarding the application control, if you want to see if your application is recognized by the FG (who knows) then you need first to enable traffic log on that policy, generate some traffic from the application, then check on FG menu: Log & Report > Forward Traffic, filter on the client source IP (or AWS server IP), and see in column "Application Name" if any relevant application is displayed.

 

As another alternative you can still write your own application signature to filter by application profile, but it may require some skills. There is a special guide for that:

https://docs.fortinet.com/document/ipsengine/7.4.0/custom-ips-and-application-control-signature-synt...

In case you can't then just filter by destination as suggested before.

AEK
AEK
ching023
New Contributor II

Thank you @AEK 
I tested, the Application Name shows empty in the log, Destination shows some IP and a Resolved Domain name in ()

Thanks a lot for your help.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors