Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Understanding the application control


I'm a bit confused about using application control in a firewall policy in profile-based vdom.

(Fortigate 81F, 7.4.3)

I use the following network design as an example:

One LAN and one WAN interface, the DNS and the ROUTING is set up and working. In the LAN interface I use DHCP server. In LAN side the DNS name resolution is works. 

I have set the following firewall rules:

Firewall Policy.png

"4" rule - Deny QUIC (UDP 80,443)  / I do not whant to allow for the "2" rule to use QUIC. 

"5","2" rules - Enabled Internet services

"1" rule - Allow evreyone internet access and ping (HTTP, HTTPS, PING)


If I do not want to block any applications then what is the point of using application control ("monitor" or "allow") in the "1" rule.  What is the difference between "monitor" and "allow"? In both cases, the applications witch runs on HTTP and HTTPS will work. When I use the "monitor" settings then I will have a log entry in Securtity Events/Apllication control logs and when I use "allow" settings then not? That's all? What's the difference between setting application control on a firewall policy with alow and not setting up application control at all?


With the above rules the VIBER windows desktop application sometimes works sometimes not. I tried to add an appication control to the "1" rule with alowing viber, but it still dos not work well (could not send pictures). 

The Viber tells you that for "Rakuten Viber desktop to run on your computer, the following ports must be open for all addresses for both TCP and UDP to enable the following ports : 80,443,4244,5243,5243,7985."   


In application control I see this:


So in rule "1" I should allow all TCP ports from 1024 upwards?  So I almost allow everything? Or, only add the ports recommended by viber.

Thanks everyone.





Is Viber desktop and Viber mobile the same? Do they use the same ports? Do they have the same application signatures?

Sorry to respond with other question, that's because I think these are questions to ask if you want to respond to your questions.

Application signatures are useful to identify applications because today so many applications share the same ports, for example as you know 443 was used only by browsers but today is used by thousands applications, so allowing 443 does not make sense anymore.


Hi @AEK,

there is only one Viber application signatur on fortigate and I'm only interested in the desktop app. About the ports: I only found the two pieces of information I wroted (according to Viber and according to Fortigate application control). 

Yes, it can be very useful to know what applications are running on ports. You can "block" the categories you don't want and override olny the ones you do or you "allow", "monitor" the categories and "block" in override what you do not want. If you just want to know what's going through, you can turn on "monitor". Using "allow" and "monitor" in override only makes sense if you have blocked a category before. Somehow I thought that with "allow" fortigate would open the extra ports in the session that the application needs (like a helper).

If I don't "block" application categories, then the application control has no bearing on whether Viber works or not. 

I found out that if I turn on the deep inspection on the "1" rule the viber doesn't work well, if I turn it off it does. Which finger to bite.



Hi @fortinetforumfiokom 

In my experience application control doesn't always work at 100%. You sometimes have to tune it a bit so it works fine. So if it works for you with certificate inspection and doesn't work with deep inspection than just leave is with certificate inspection as long as you don't need deep inspection for viber.



Unfortunately I cannot create a separate rule olny for VIBER. To my knowledge, you cannot create a rule for applications in "profile-based" vdom. (In "policy-based" mode maybe you can, but I would not like to use it for several reasons).  

If I allow http and https traffic from lan to wan for everyone in a rule, it will include everything from "viber" to all applications that use these ports. 


Hi @fortinetforumfiokom,


Based on the screenshot, I don't see application control being enabled in the policies. Additionally, policy 1 doesn't allow ports 4244,5243,5243,7985.




Hi @hbac, yes you right. 

My main system has a own rule that allows these ports without depp inspection, but Viber still doesn't always work. If I disable deep inspection in HTTP and HTTPS, it works, otherwise it sometimes works and sometimes not. 

For some reason I thought I could solve this Viber problem with application control, but I can see now that this is not the solution. If I can't create a separate rule for VIBER, like choosing Internet service for Office 365 traffic, I can't do it this way.


I would still like to know the answers to the questions in my original post first part. 



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors