Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFeren
New Contributor III

Created on ‎04-19-2017 01:36 AM

Fortigate Application Control "Dropbox" excludes web-based access?

Dropbox service can be accessed using a web browser or a host-based app.

Does Application Control "Dropbox" apply to traffic from web browser, host-based app or both?

40990
0 Kudos
26 REPLIES 26
hmtay_FTNT
Staff
Staff

Created on ‎04-19-2017 06:36 AM

Hello AlexFeren,

 

They cover both. However with the host-based app, you have to use the "Dropbox.Lan.Sync.Discovery.Protocol" signature too. The Download, Upload signatures work only on the web browser. Dropbox implements Certificate Pinning on its standalone applications. 

 

HoMing

6999
0 Kudos
AlexFeren
New Contributor III
In response to hmtay_FTNT

Created on ‎04-19-2017 07:08 AM

Hi HoMing, thanks for reply. > They cover both. I don't see this at all. When I upload using browser, I don't see the the send/receive bandwidth numbers change in FortiAnalyzer's Fortiview's Top Applications' "app=Dropbox"; on the other hand, I do see the corresponding numbers change in Top Websites' "domain=dropbox.com". Can you explain the observation?
6999
0 Kudos
hmtay_FTNT
Staff
Staff
In response to AlexFeren

Created on ‎04-19-2017 07:11 AM

Did you enable deep-inspection? Those signature require deep-inspection as they use HTTPS. You can do a quick check to see deep-inspection is enabled by looking at the Certificate of the session. If they are replaced with your certificate or the default FGT's then it's replaced. Otherwise, deep-inspection was not done.

6999
0 Kudos
AlexFeren
New Contributor III
In response to hmtay_FTNT

Created on ‎04-19-2017 10:23 PM

> Did you enable deep-inspection? Those signature require deep-inspection as they use HTTPS.

 

How would I know that? In

FG60C (global) # get application name status | grep -A 15 Dropbox app-name: "Dropbox" id: 17459 category: "Storage.Backup" cat-id: 22 sub-category: "(null)" sub-cat-id: 0 parameter:   popularity: 5.low risk: 3.low shaping: 0 protocol: 1.TCP, 26.SSL, 9.HTTP vendor: 0.Other technology: 1.Browser-Based behavior:

does "26.SSL" tell me that the signatures REQUIRE deep-inspection?

 

There's a myriad of Dropbox-associated URLs (dropbox.com, dropboxstatic.com, dropboxapi.com dropboxusercontent.com, dropboxpayments.com, dropboxforum.com, dropbox.de, dropboxusercontent.com, getdropbox.com and probably plenty more) - how can I obtain statistics on "all Dropbox" traffic.

6999
0 Kudos
hmtay_FTNT
Staff
Staff
In response to AlexFeren

Created on ‎04-20-2017 06:22 AM

Hello,

 

In your command, "get application name status | grep -A 15 Dropbox", you are short by 1 for your "grep -A" value. Use 16.

 

You should get the following:

 

FWF90D3Z14000497 # get application name status | grep -A 16 Dropbox app-name: "Dropbox" id: 17459 category: "Storage.Backup" cat-id: 22 sub-category: "(null)" sub-cat-id: 0 parameter: popularity: 5.low risk: 3.low weight: 10 shaping: 0 protocol: 1.TCP, 26.SSL, 9.HTTP vendor: 0.Other technology: 1.Browser-Based behavior: 9.Cloud language: Multiple require_ssl_di: No -- app-name: "Dropbox.Lan.Sync.Discovery.Protocol" id: 36313 category: "Storage.Backup" cat-id: 22 sub-category: "(null)" sub-cat-id: 0 parameter: popularity: 4.low risk: 3.low weight: 20 shaping: 0 protocol: 2.UDP vendor: 0.Other technology: 2.Client-Server behavior: 9.Cloud language: Multiple require_ssl_di: No --

 

require_ssl_di will tell you if that signature require deep-inspection or not. As for obtaining statistics on all Dropbox traffic. You can filter "Dropbox" under "Application Name" (in 5.6 - in other FortiOS, the name is probably slightly different) at Application Logs or using FortiView-> Applications.

skypefortiview.jpg
Preview file
92 KB
6999
0 Kudos
AlexFeren
New Contributor III
In response to hmtay_FTNT

Created on ‎04-20-2017 05:11 PM

hmtay wrote:
you are short by 1 for your "grep -A" value. Use 16.

No! I don't see "require_ssl_di" in v5.2.10, observe:

FG60C (global) # get application name status | grep -A 20 Dropbox   app-name: "Dropbox" id: 17459 category: "Storage.Backup" cat-id: 22 sub-category: "(null)" sub-cat-id: 0 parameter:   popularity: 5.low risk: 3.low shaping: 0 protocol: 1.TCP, 26.SSL, 9.HTTP vendor: 0.Other technology: 1.Browser-Based behavior: app-name: "Dropbox.Lan.Sync.Discovery.Protocol" id: 36313

:

 

require_ssl_di will tell you if that signature require deep-inspection or not.

err..., your printout indicates value "No" for Dropbox application - doesn't this contradict your earlier allegation: 

Those signature require deep-inspection as they use HTTPS.
?

 

 

You can filter "Dropbox" under "Application Name" (in 5.6 - in other FortiOS, the name is probably slightly different) at Application Logs or using FortiView-> Applications.

I'm using FortiAnalyzer: FortiView -> Application & Websites -> Top Applications, filter "app=Dropbox srcip=140.159.XX.YY": 04-20 11:18    140.159.XX.YY    108.160.172.206    HTTPS    65.58KB/158.89KB        Dropbox     04-20 11:16    140.159.XX.YY    108.160.172.206    HTTPS    7.02KB/9.69KB        Dropbox     04-20 11:16    140.159.XX.YY    162.125.81.5    HTTPS    2.79KB/8.39KB        Dropbox     04-20 11:16    140.159.XX.YY    162.125.34.129    HTTPS    1.57KB/5.58KB        Dropbox     04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox     04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.34.129    HTTPS    1.54KB/5.49KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.75KB/6.47KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.23KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.78KB/7.19KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.238    HTTPS    1.09KB/4.98KB        Dropbox       FortiView -> Application & Websites -> Top Applications, filter "domain=Dropbox* srcip=140.159.XX.YY" 04-20 11:18    140.159.XX.YY    108.160.172.206    HTTPS    65.58KB/158.89KB        Dropbox     04-20 11:18    140.159.XX.YY    162.125.34.134    HTTPS    5.05MB/47.21KB        SSL_TLSv1.2     04-20 11:17    140.159.XX.YY    162.125.34.134    HTTPS    2.13KB/5.22KB        SSL_TLSv1.2     04-20 11:16    140.159.XX.YY    108.160.172.206    HTTPS    7.02KB/9.69KB        Dropbox     04-20 11:16    140.159.XX.YY    162.125.81.5    HTTPS    2.79KB/8.39KB        Dropbox     04-20 11:16    140.159.XX.YY    162.125.34.129    HTTPS    1.57KB/5.58KB        Dropbox     04-20 11:14    140.159.XX.YY    162.125.34.134    HTTPS    753B/3.58KB        SSL_TLSv1.2     04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox     04-20 11:14    140.159.XX.YY    162.125.81.5    HTTPS    1.19KB/5.06KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.34.129    HTTPS    1.54KB/5.49KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.23KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.06KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.75KB/6.47KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    162.125.81.5    HTTPS    1.20KB/5.11KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.78KB/7.19KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.206    HTTPS    3.86KB/6.96KB        Dropbox     04-20 11:13    140.159.XX.YY    108.160.172.238    HTTPS    1.09KB/4.98KB        Dropbox    If you do comparison (after sorting), both are identical except for "SSL_TLSv1.2" entries. This means that "Dropbox" application signature excludes some traffic, even though everything is via same HTTPS protocol. Given that "require_ssl_di" is "No", can you explain this exclusion?

6999
0 Kudos
hmtay_FTNT
Staff
Staff

Created on ‎04-21-2017 06:16 AM

>>No! I don't see "require_ssl_di" in v5.2.10, observe:

 

Sorry, the require_ssl_di syntax is only available in FortiOS 5.4 and above. 

 

>>err..., your printout indicates value "No" for Dropbox application - doesn't this contradict your earlier allegation: 

 

Dropbox does not require deep-inspection. Dropbox_Login, Dropbox_File.Upload and Dropbox_File.Download require deep-inspection.

 

>>If you do comparison (after sorting), both are identical except for "SSL_TLSv1.2" entries. This means that "Dropbox" application signature excludes some traffic, even though everything is via same HTTPS protocol. Given that "require_ssl_di" is "No", can you explain this exclusion?

 

Yes, it looks like a missed detection on that. I will look into it and get back to you in a bit. Sorry for the inconveniences.

 

HoMing

 

6999
0 Kudos
AlexFeren
New Contributor III
In response to hmtay_FTNT

Created on ‎04-27-2017 05:44 PM

hmtay wrote:

Yes, it looks like a missed detection on that. I will look into it and get back to you in a bit. Sorry for the inconveniences.

Progress?

 

6999
0 Kudos
hmtay_FTNT
Staff
Staff
In response to AlexFeren

Created on ‎04-28-2017 07:17 AM

Hello Alex, 

 

The signature is in IPS Definition 10.127 and above.

6999
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.