Hi everyone,
I'm facing an issue with FortiGate Application Control. I have a profile configured to block all applications, including Telnet and Unknown traffic. The problem occurs when I test Telnet using the command:
telnet pop.gmx.net 110
Instead of being blocked, this connection goes through, and in the logs, it gets categorized as "Unknown" rather than Telnet. Even though I’ve set Application Control to block Unknown traffic, it still allows the connection.
Telnet over port 110 (normally used for POP3) is not getting blocked or recognized as Telnet—it’s instead showing up as "Unknown" but still not being blocked.
Thanks for your help!
FLorian
config:
config application list
edit "TEMP_PERIMETER"
set enforce-default-app-port enable
set unknown-application-action block
set unknown-application-log enable
config entries
edit 1
set application 16091
next
edit 2
set category 2 3 5 6 7 8 12 15 17 21 22 23 25 26 28 29 30 31 32
next
edit 3
set action pass
next
end
next
end
config firewall policy
edit 1071741840
set name "TEST"
set uuid 9b0f2c98-7408-51ef-afa2-775104cae6d8
set srcintf "Z_INSIDE"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "HOST_TEST_WIN007"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "TEMP_DEEP-INSPECTION"
set av-profile "TEMP_AV_default"
set webfilter-profile "TEMP_Web-Filter"
set dnsfilter-profile "TEMP_DNS-Filter"
set file-filter-profile "TEMP_Basic"
set ips-sensor "TEMP_IPS_strict"
set application-list "TEMP_PERIMETER"
set logtraffic all
set nat enable
set ippool enable
set poolname "NAT-POOL_INTERNET"
next
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi r17
As per my knowledge when you do "telnet host 110" the telnet tool just tries to open a TCP connection, so FGT App Ctrl doesn't have enough info to recognize this as telnet protocol connection, until there are some specific traffic signature that reveals to FGT which app traffic is flowing.
But based on your input, I’ve created a custom application signature:
F-SBID( --attack_id 9626; --name "Block-Unknown-TCP-Ports"; --protocol tcp; --dst_port 1:65535; --app_cat 32; )
After adding this to Application Control, I successfully got a block for the traffic.
However, I noticed something strange: a new category appeared in the Application Control list with the same name as the default "Unknown" category. It looks like the custom signature created another entry for "Unknown" traffic. Does this seem normal to you? It feels a bit unusual to me.
Thanks again for your insights!
Hi AEK
I understand that the Telnet tool is just opening a TCP connection and that there might not be enough info initially for FortiGate to recognize it as a Telnet protocol connection.
However, shouldn't Application Control still categorize it as "Unknown" traffic since it's not identified as Telnet? And if Unknown traffic is set to be blocked, shouldn't it prevent the connection from going through regardless of the protocol?
Thanks for your input!
Actually I'm not certain how app ctrl works in detail, but I guess this "unknown" you see is somehow "not enough info to make decision". And I think when there is enough traffic to decide, and FG finds nothing in its app DB that match the traffic signature, here it is decided that this traffic has been identified as actually "unknown", and here it should be blocked.
Here I'm just talking as by my understanding. Hope some more experienced member can inform us further.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.