@tanr: IMHO 100% correct in all 3 points. I'm sure FTNT is clearly aware of the limitations of it's approach and thinking about how to change this. I'd love to be able to match traffic in a policy just by application recognition. OTOH UTM is highly streamlined in FortiOS to achieve high throuput and it might be quite difficult to change from one architecture to another. And each approach will have pros and cons as well.

I'm not really sure I understand your disappointment. Moreover, I couldn't find other major difference from the PA philosophy, except for the application dependencies (which is a really heavy-weight approach, but maybe not too difficult to introduce in FOS). But the main thing here is that everybody, not just PA and 40Net, must first allow/deny a session, and only then try to identify an application running over it. If you look at PA docs, they say that the app is triggered "at a certain moment" after opening a session, and no vendor can bypass this limitation unless a new technology inserts a L7 app id in every network packet, thus making your dream possible and putting the app at the base level of a FW rule. The rest seems to me just a different way of building the user interface, but with almost the same behavior behind the scenes. If we put aside the app dependencies, of course -- but this can be a matter of app database, yielding a set of app signatures at config time, not a dynamic behavior in face of the real-time traffic. Also, let's not forget that a lot of traffic is encrypted nowadays, so the same rule can be ineffective with a wrong certificate, because the app does not match anymore (or maybe you need to match on HTTPS in every rule, which is hilarious). Bottom line, I expect 40Net to issue app dependencies just before PA gets too much marketshare. The rest is silence (dropping).

I'm not an expert, sorry to contend but it's very interesting.

No, the key difference between PA and the rest is that with PA you can in fact have the app as the base of the policy. Of course their system will have to receive a few packets before they can identify an app, but their approach still allows you to build a firewall policy solely based on apps. Apps are a full class citizen in the policy structure and you can actually use them to match traffic/rules, something you can't do with Fortinet.

 

I am not really disappointed in how Fortinet do it, it is just very limiting compared to PA.

@ede: Thanks for the confirmation.

 

So here's a possibly problematic scenario related to how AC profiles are used:

 

For a specific dmz -> wan situation, I want to allow only NTP, DNS, and Windows Update (through Application Control).  I can have one firewall policy that only allows NTP and DNS (limited to just trusted servers, etc. and yes, I should probably point them to local NTP and DNS).

 

The problem is the next firewall rule, which should allow ONLY Windows Updates for dmz -> wan.

 

Since the Windows Update servers change around, the rule needs to allow "any" destination IP.  (SSL Deep Inspection can be set to mark only microsoft and windows update as "reputable websites", but it will still allow other IPs.)

The firewall rule can have an Application Control profile that has any and all Apps (including Unknown) set to Block, except for the Application "Windows Update."  However, I think the AC profile will block what it sees as applications, but let what it sees as "normal" non-application traffic through.

 

Can anybody confirm?  Does this seem like a valid concern?

Yes, I think you have a point, which I'd rather rephrase a little. In a model based on signature recognition, any firewall must allow some traffic (up to the longest sequence in the algorithm). After that, if you block unknown apps, the session is closed, and what passed is largely meaningless and hopefully harmless (unless some magic packet achieves DoS). You say PA needs "a few packets" to detect the app, maybe 40Net needs twice as much (????). In my opinion, the real quantum leap would be to use several parallel methods, not just signature/pattern detection. I heard, for instance, that some tools can detect encrypted P2P botnets or TOR by analyzing statistical parameters of the traffic. Such an approach is less predictable, as the relevant stochastic profile can emerge instantly or take longer to build up. How is this detection time variability compatible with the app as a basic fw rule parameter beats me. Another problem with delayed detection comes from the fact it favors the "everything passes except xxx" model, while the "block everything but yyy" approach is less efficient. In your example (you should test it!) the real problem comes from app dependencies and site shifting: you should block in the same rule all site categories except the particular list used by MSupdates (with webfilter local exceptions) and allow only the update apps. But then your app is still not working, because there are other dependent apps that must be allowed (Network Services etc). So you must study in real time and allow everything needed, various sites and wilcard domains (changing over time!) and auxiliary apps. Maybe PA offers all this in just a click, if so they are really good. 40Net must do it soon!

>>Since the Windows Update servers change around, the rule needs to allow "any" destination IP.  (SSL Deep Inspection can be set to mark only microsoft and windows update as "reputable websites", but it will still allow other IPs.) The firewall rule can have an Application Control profile that has any and all Apps (including Unknown) set to Block, except for the Application "Windows Update."  However, I think the AC profile will block what it sees as applications, but let what it sees as "normal" non-application traffic through.  

Can anybody confirm?  Does this seem like a valid concern?

 

>>In your example (you should test it!) the real problem comes from app dependencies and site shifting: you should block in the same rule all site categories except the particular list used by MSupdates (with webfilter local exceptions) and allow only the update apps. But then your app is still not working, because there are other dependent apps that must be allowed (Network Services etc).

 

In FortiOS 5.0 and below, we do not have support for this feature - let's call it whitelisting. To whitelist let's say "Windows Update", lower level signatures like SSL, HTTPS.BROWSER have to be set to Allow/Monitor. This is undesirable as it means all other SSL and HTTPS.BROWSER will be allowed too.

 

In FortiOS 5.2 and above, we addressed this issue with our application dependency tree. You no longer need to set signatures like SSL, HTTPS.BROWSER or other lower level signatures to Allow/Monitor to allow the higher level signatures like "Windows Update". The FortiGate, through the dependency tree will know if it has to defer identification of a session.

One more comment regarding this interesting post. We are running v5.2.7 on 2 FG500D. We are facing similar scenarios (Application Control, Web Filtering and exceptions) like those ones you have already explained in this post. As far as I have understood the key point is the way a traffic reaching FortiOS matches or not certain policies. It seems that Security Profiles perform actions once the traffic has matched a certain policy. This behaviour makes difficult to manage exceptions and/or different actions in a sequential mode (e.g. based on FSSO AD Groups). Might there be a way in which a traffic denied by a policy (this would be optional, not for all policies) could keep trying to match another subsequent policy (either sequentially or a specific policy id)? As far as I know some other firewall companies allow this option. Thanks. Ignacio.