I am running a Fortigate 40F in policy-based mode and see a behaviour that I don't understand:
I have configured only two policies:
1. Block all traffic/any app id to url categories (spam, phishing etc.)
2. Allow traffic only with app id HTTPS.BROWSER
From my traffic logs I can see that sometimes first HTTPS.BROWSER and then another app id is recognized, but the traffic is not blocked.
For example when browsing github.com the first log entry from app-ctrl is HTTPS.BROWSER and the next entry is Github which is not allowed by policy. The forwading log entry at the end of the session states Github too, but browsing was not blocked.
I have seen this behaviour with traffic to skype and adobe too.
Should not the firwall block this traffic when a not allowed app id is seen in a session?
Is that because NGFW in policy-based mode is doing only flow-mode and not proxy-mode?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.