Qs:

1> do you have the fwpolicy-id?

2> do you have logging all on those firewall-ID(s)?

FWIW

The fortiOS FW logs are very very  informational and will provide you even the pre-SNAT ipv4-address if you have NAT involved.

if they are originating from within the DC, than you can easily gather the src_address.

Ken

1. Where can i find this ID? I'm looking at the Security Log > Application Control (which is where those applications are reported).

Wonderful support..

This is a user's forum where we help each other as good as we can, and in our spare time, not paid. No money, no promises, as with anything. If you don't like this kind of service level you can always resort to the official Fortinet support for which you have to pay. If they can't help you, it might well be because they didn't get enough relevant info on your network. Instead of working on this you come here, ask for help, and if it's not pouring in instantly you kick ass. Really?

I've taken my time anyways to understand your problem. IMHO your explanation misses the point - only DNS queries originate from your DC, not the traffic that triggers the sensors. IDS/AppControl matches traffic patterns, payload, handshakes and more to determine the kind of application. DNS queries on the other hand are plain readable and thus do not trigger these sensors.

If I was in your place I'd analyze the traffic from DC to WAN, using the FGT's sniffer or wireshark, to verify the kind of traffic (service, ports, destinations). Then, after confirming the source, I'd scrutinize the source system, be it the DC or a client. In a way, it doesn't matter much if the sensors signal the wrong end - they do signal malware traffic from several services which should be enough to examine the DC and/or the clients.

Just my 2 cents.

I'm sorry. This was just out of frustration with Forti in general. I wasn't sure this is users ONLY forums. It shows "customer service & support" at the top after all, so i thought maybe Forti employees oversee these forums.

I'm not a very strong network specialist, but i have to deal with suspicious activity reports from our service providers (managing our Fortigate units). They weren't able to tell what is happening, so i have asked to file a request with Forti and the response was that after checking our Application Log and debug logs they weren't able to determine whether these reports are erroneous or malicious activity.

You are saying that simple DNS query can't trigger the application sensor. This means that we have Win_Media, Opera Turbo, Whatsup, Gtalk, Warcraft, Tor2web and other applications running on our DC server? Or maybe this is some malware which is being detected as various applications? Also this malware is only trying to access public DNS servers of our ISP (based on what Fortigate is logging, both pass and block events).

I don't see anything suspicious on the server itself, but i will try the Wireshark option. Was already thinking to tune our antivirus software to detect those applications in the network somehow. Thanks for the hints.

You are saying that simple DNS query can't trigger the application sensor.

correct

Now to the alert, you should have a match policy and the logging if enabled on that fwpolicy that has the security profile should provide you details. 

You need to 1st determine if it's 1> true positive or negative  2> and server or client  side

I'm sorry, still puzzled about this. What i was able to find is that in Web console > Security Profiles > Application Control there is a policy/profile called USER_DEFAULT_APP which has Proxy category set to blocking mode. I think this policy is applied to our network (at least workstations, but i see no other policy with Proxy being blocked, so it seems this is also applied to servers). I don't know where to go next and where to find "fwpolicy" you mention.

This is probably too complicated for me to investigate, so i will probably have to repeat my request to our service providers, but i want to be as specific as possible, so they would enable/check the logging, which will show more information about these matches.

As for Wireshark though there is a problem that these matches are not very frequent. Today there was only one GoogleTalk match in the morning. Tor2web was 7 days ago. So running Wireshark for a long time is not an optimal option. Unless i can apply some filter to minimize the log size, but i don't know what filter would work.

Btw, Application Signatures show that Tor2web is of a Browser-based type.

A little update. Today i was lucky to run Wireshark on DC when a few application matches were logged by Fortigate. WhatsApp and Gtalk applications.

WhatsApp case - i see DNS queries:

1. local workstation IP -> DC IP querying for xxx.whatsapp.net server

2. DC IP -> ISP DNS IP query for this server

3. ISP DNS IP -> DC IP response

4. DC IP -> local workstation IP forwards the response

The same second Fortigate is logging application match for WhatsApp application on the DC IP. I have checked that workstation and confirmed that a user was indeed using WhatsApp web application. So, i think this shows that a simple DNS query can trigger a match.

As i said, i was lucky today to catch that moment. But it will be hard to do the same with Tor2web match as it only happens once a month. Unless i will be able to come up with some filter to run Wireshark long enough without running out of disk space quickly. Meanwhile our service providers told me that logging on Fortigate is already as detailed as it can be (for blocked traffic).

I was able to replicate Tor2web match by going to http://onion.direct and running search queries there. I can probably collect a few addresses and put them into Wireshark filter and try running that for a month.