Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Help with custom application signature
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with custom application signature
Hello,
I'm blocking app control Proxy category but I need to whitelist access to proxy-safebrowsing.googleapis.com. It falls under Proxy.HTTP application and gets blocked. I would like to do it via custom signature. But I can't seem to match the traffic using my custom signature. I've read the signature creating guide and followed it but no luck. It still recognized as Proxy.HTTP.
config application custom
edit "Google.Safebrowsing.Proxy"
set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; -- app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
set category 6
next
end
config application list
edit "AppControl"
set extended-log enable
set other-application-log enable
set unknown-application-log enable
set deep-app-inspection disable
unset options
config entries
edit 4
set application 9876
set action pass
next
edit 5
set category 2 6 7 8
next
end
next
end
Sample log of traffic:
date=2024-10-01 time=17:26:51 id=7420921850693158485 itime=2024-10-01 17:26:51 euid=3 epid=326934 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=warning action=block sessionid=186458912 policyid=89 srcip=10.123.111.111 dstip=123.123.123.123 srcport=54654 dstport=80 proto=6 logid=1059028705 service=HTTP eventtime=1727818011353619038 incidentserialno=82324068 crscore=10 craction=1048576 crlevel=medium direction=outgoing apprisk=critical appid=107347980 srcintfrole=lan dstintfrole=undefined applist=AppControl appcat=Proxy app=Proxy.HTTP hostname=proxy-safebrowsing.googleapis.com url=/ eventtype=signature srcintf=WIFI dstintf=port16 rawdata=Response-Content-Type=text/html rawdataid=1/1 msg=Proxy: Proxy.HTTP tz=-0400 policytype=policy srccountry=Reserved dstcountry=United States poluuid=39cfc8a0-241e-51ef-27e1-221716410659 httpmethod=CONNECT devid=FG4H111111111111 vd=root dtime=2024-10-01 17:26:51 itime_t=1727818011
Anyone has any idea how to match it ? Maybe "hostname" is not something that is searched for the "pattern".
Solved! Go to Solution.
Labels:
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is working now.
On Tuesday Oct 8 around 2PM the related traffic started to match my custom signature and stopped matching Proxy.HTTP for all our firewalls.
I have not changed anything in the configuration, and config captures show no difference in config.
The customer signature was pushed to the firewalls via FMG a week before it started to work.
Not sure how to explain it.
Current working signature:
config application custom
edit "Google.Safebrowsing.Proxy"
set comment ''
set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; --app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
set category 6
next
end
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Counterintuitively, you may be able to add a Web Filter and add a 'static URL filter' entry to exempt that URL from all UTM. This will stop it from even being scanned by the Application Control.
See: https://community.fortinet.com/t5/FortiGate/Technical-Tip-The-difference-between-allow-and-exempt-in...
If you need to do this within Application Control, it seems like the signature is correct. I would check and see if the request from the client is HTTPS, and if it is, you may need to enable Deep Inspection so Application Control can see inside that encrypted stream.
"Never trust a computer you can't throw out a window."
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply, Johnathan
I created "Simple" "Exempt" URL filter of "proxy-safebrowsing.googleapis.com" and logs showed that the traffic was "passthrough" and not blocked. But then, on the next step, it got matched by Proxy.HTTP and blocked.
The packets are not encrypted and I was able to capture a sample (shown below). Not sure why custom application does not match it.
I tried
F-SBID( --attack_id 9876; --name "Google.Safebrowsing.Proxy"; --service HTTP; --protocol tcp; --app_cat 6; --pattern "CONNECT proxy-safebrowsing.googleapis.com:443"; --weight 40;)
but it still recognized as Proxy.HTTP only
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's try and make it as simple as possible:
----
F-SBID( --name "block.proxy"; --pattern "proxy-safebrowsing.googleapis.com"; --service HTTP; --protocol tcp; )
----
I will try this also in my lab when I have a moment. Will keep you posted.
"Never trust a computer you can't throw out a window."
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Via CLI it rejects the simple signature (lacking some necessary fields). When doing in GUI it automatically adds --attack_id 9876;and --app_cat 6; when missing.
So the simplest signature is
set signature "F-SBID(--attack_id 5280; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; --pattern \"proxy-safebrowsing.googleapis.com\";--app_cat 6; )"
Still, the traffic matches Proxy.HTTP
The Proxy.HTTP signature weight is 9 and, I believe the default weight is 10, so I hope the custom signature implicit weight is 10 (more preferable).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is working now.
On Tuesday Oct 8 around 2PM the related traffic started to match my custom signature and stopped matching Proxy.HTTP for all our firewalls.
I have not changed anything in the configuration, and config captures show no difference in config.
The customer signature was pushed to the firewalls via FMG a week before it started to work.
Not sure how to explain it.
Current working signature:
config application custom
edit "Google.Safebrowsing.Proxy"
set comment ''
set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; --app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
set category 6
next
end
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Azure Front Door on-premis Fortigate 397 Views
- Web Application Firewall is blocking access... 382 Views
- FortiClient - disconnect/reconnect issue 371 Views
- Using #FortiPAM with Custom Applications Across... 150 Views
- Help with custom application signature 680 Views
Labels
-
FortiGate
8,465 -
FortiClient
1,713 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
220 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.