Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msolanki
Staff
Staff

Created on ‎03-24-2023 10:14 AM

Article Id 250239

Technical Tip: Application control profile traffic behavior in proxy mode policy

Description

This article explains how traffic flow works and when the firewall policy is configured in proxy mode with an application profile .
Scope Any supported version of FortiGate.
Solution

 

 

When the FortiGate firewall policy is configured in proxy mode with an application control profile to detect/allow/deny specific application traffic, proxy deep inspection with the application filter works by sending the traffic to the IPS engine. The IPS engine then performs application matching and, if the traffic passes, it is forwarded to the WAD which performs SSL decryption (deep-inspection). The plain text application data is sent back to the IPS engine to perform another application matching step on ActiveSync.

 

Traffic --> IPS --> WAD --> IPS (Application ActiveSync)

 

If the application traffic is HTTPS.BROWSER based and not allowed in application control, the IPS engine inspects it and drops it before it has to be forwarded to the WAD to be decrypted. As a result, the traffic cannot be matched with the plain text app signature (ActiveSync).

 

traffic --> IPS --> X (SSL BLOCKED)

 

FortiOS 7.0.6 onwards allows the HTTPS/SSL traffic to pass to the WAD to perform the SSL deep inspection, and the IPS engine can match the decrypted plain text data on app traffic (ActiveSync).

 

Below is example of ActiveSync traffic for an exchange over HTTPS:

 

# policy

edit XX

set name "Test_app"

set uuid 40d368c0-941b-51e9-42cb-e78482ce71e7

set srcintf "wan1"

set dstintf "DMZ"

set action accept

set srcaddr "all"

set dstaddr "x.x.x.x - y.y.y.y"

set schedule "always"

set service "HTTPS"

set utm-status enable

set inspection-mode proxy

set ssl-ssh-profile "deep-inspection-public"

set ips-sensor "protect_http_server"

set application-list "activesync_only"

 

The app control profile is as follows:

 

# edit "SOM-APP- activesync_only"

set comment "Erlaubt nur MS Active Sync - App-Filter fuer Exchange server"

set other-application-log enable

set unknown-application-action block

set unknown-application-log enable

config entries

edit 1

set application 26886

set action pass

next

edit 2

set application 40568 <-- Allow HTTPS.BROWSER

set action pass

next

edit 3

set category 2 3 5 6 7 8 12 17 21 22 23 25 26 28 29 30 31 32 (category 15, which is for network services, is removed)

next

end

end

 

 
1766
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.