Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cryptochrome
New Contributor III

How to use App Control in policies

Hi,   I am not new to Fortigates, but I am new to Application Control. I am struggling to understand how to properly make use of it in the context of firewall policies.   I understand I can't simply create a firewall policy based on Apps (e.g. put an app in there as a matching criteria instead of a port-based service). I have to use Application Control profiles instead and attach them to the firewall rule. And that's where it leaves me.    For example: Let's say I want to allow Facebook for source IP 10.10.10.1, but no other apps. What would the App Control profile look like and what would the corresponding firewall rule look like? In the profile, I would block all App Categories and then use Filter and/or Application Overrides (which one), only selecting Facebook? And then add that to a firewall rule that allow source 10.10.10.1 ANY service (or just HTTP(S)) and attach the profile?   If that's the way to go, how do I go granular?   Let's say I want a rule that disables logging for a certain app (let's keep Facebook here)? On a "traditional" firewall, I would simply create a rule with source IPs, destination IPs, services, action:allow and set it to no log. However, with app control and the above example, wouldn't that rule match for any other traffic as well? I wouldn't be able to have a second rule that allows Dropbox, for example (for the same source), because the previous Facebook rule matches all apps (blocks them) AND Facebook (allow it).    As you can see, I am struggling with the concept.   I hope I am making sense (excuse my non-native english).
20 REPLIES 20
seaton
New Contributor

Use NGFW mode in FortiGate, that will match like a Palo. However, I think largely the concerns here are over blown, it just requires a different way of thinking about your rules in profile mode.  People are mentioning exceptions well, what makes an exception....Some other attribute being different (besides simply an app being allowed vs blocked), put that policy first in profile mode, your default policy should be last in the rule base.  As far as copying profiles it is copy and paste in the command line.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors