BTW: I am already on FortiOS 5.4 (E-Model firewall with no option to downgrade).
hi,
you're right, policies are not application specific in FortiOS. With AC you can control the flow of data only - in your second example, logging is a feature of the policy, not pertaining to the flow of data, and thus not AC dependent.
In a way, UTM profile are application specific for certain most-used applications, namely HTTP, FTP, and their secure variants. In profile settings, you can specify that they would be recognized using any port, not only the wellknown ports. But again, this is in no way comparable to an application-aware firewall like PA (so I've been told).
Thanks Ede. So if I understand you correctly, app signature cannot be used as a matching criteria in a firewall rule.
Let's say I want to apply two different app control profiles to the same source IP subnet, one that allows Facebook, another one that denies Botnets, it would not work, because the second rule wouldn't be triggered once the first rule has matched. E.g.:
Rule 1:
Source: 10.10.10.0/24
Destination: Any
Service: Any
Action: Allow
App Profile: Allow_Facebook
Rule 2:
Source 10.10.10.0/24
Destination: Any
Service: Any
Action: Allow
App Profile: Block_Botnets
I realize that my examples wouldn't make much sense in real life, but I think you get my point. In this case, rule 2 would never fire for a source IP in 10.10.10/24, since rule nr. 1 already matched the traffic, regardless of what is in the app profile.
Am I getting this right?
Right, AC cannot be used to match traffic like you can with other criteria (port, address, time). Your example of 'stacking' policies indeed shows where the limit is: AC is not about matching (control flow) but applying UTM once traffic is matched.
That's.... Meh....
Thanks for helping me understand. And I also now understand why Palo Alto leads the pack when it comes to NGFW.
cryptochrome wrote:Yeah, it is one of my ongoing complaints with Fortinet. I have told them directly several times. Unfortunately, the limitation would require a complete rewrite of some things to make it work this way. I reference it here Where Fortinet Is Messing UpThat's.... Meh....
Thanks for helping me understand. And I also now understand why Palo Alto leads the pack when it comes to NGFW.
Mike Pruett
Good write-up, Mike. I agree with everything that you wrote on your blog. To be fair though, Palo Alto's NGFW approach was a surprise to every player in the industry. When they saw that PA was successful, they baked something into their own offerings. The "Me too" approach, I guess. Even Checkpoint's application filtering sucks big time. They even need an entirely different policy for application filtering that'S separate from the firewall policy. But they have realized that and with their new release R80, they did a total rewrite and now have a single, consolidated policy that works much like PA's.
The only thing that bugs me with Palo Alto is their choice of appliances. The low end devices like the PA-200 and PA-500 are seriously underpowered and cost a ridiculous amount of money compared to other vendors lower end devices. Heck, a small Fortigate 50E outperforms even middle-tier appliances of PA. Nonetheless, Palo Alto have surpassed Fortinet in the last Gartner quadrant. Go figure.
I agree. I used to run Palo's for the DOD. I like the software. Damn expensive for the various versions of hardware though.
Mike Pruett
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.