Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rb400
New Contributor

Webfilter (licensed) vs Application Control

Re: Webfilter (licensed) vs Application Control

 

Which process looks at the packet first, app control or webfilter.

If webfilter, and webfilter exempts a url, will the packet bypass the app control process?

 

Is there any known specific doc on this topic?

 

Thanks.

 

[align=left]*auto-sig*   rb400 << FGT (v6.2.x) [/align]
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
2 Solutions
Dave_Hall
Honored Contributor

See Life of a Packet.  Link is from the FortiOS 5.2 Handbook.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Christopher_McMullan

Historically, at least, IPS and App Control were applied before Web Filter profiles, since they are both flow-based.

So a good example would have a been a case where an administrator applied an App Control sensor to block Facebook, but also blocked the Social Networking category in a web filter. The app would be blocked, but the user would not see a replacement message (which would have been generated in the case of a proxy-based WF profile).

 

Exempting a site in a WF profile in this case would not affect IPS or App Control, since they would have already been checked.

Regards, Chris McMullan Fortinet Ottawa

View solution in original post

2 REPLIES 2
Dave_Hall
Honored Contributor

See Life of a Packet.  Link is from the FortiOS 5.2 Handbook.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Christopher_McMullan

Historically, at least, IPS and App Control were applied before Web Filter profiles, since they are both flow-based.

So a good example would have a been a case where an administrator applied an App Control sensor to block Facebook, but also blocked the Social Networking category in a web filter. The app would be blocked, but the user would not see a replacement message (which would have been generated in the case of a proxy-based WF profile).

 

Exempting a site in a WF profile in this case would not affect IPS or App Control, since they would have already been checked.

Regards, Chris McMullan Fortinet Ottawa

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors