Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kogia
New Contributor

Security Profiles Precedence

Hello FortiCommunity, I would like to know if application control has precedence over Web filter. Consider the following scenario: Policy with web filter which blocks www.facebook.com & also application control sensor which blocks Facebook. Will there be a disclaimer from Web filter or the application control will simply block the packets?
10 REPLIES 10
Devendra_Palan
New Contributor

Hi Kogia, Your web filter will simply block facebook.com
kelv1n
New Contributor

I believe this is wrong - The Application Control will execute first, so packets will likely just be blocked.. got a similar issue myself!

emnoc
Esteemed Contributor III

In this case I believe app-control will hot first but diag debug flow is your friend

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vjoshi_FTNT
Staff
Staff

First would be Web filtering. Logic is, say we have a URL exempted on the Webfilter and you will see it will exempt all the scanning.

Also, a URL which is blocked at first place, scanning for all the application control signatures makes no sense.

 

Only if the URL is allowed, then the scanning of it with all the signatures for that URL is a worth

emnoc
Esteemed Contributor III

Are we 100% sure on that?

 

What if the  url wasn't categorized to begin with ( yes or in  the wrong category ) ?  ( assuming no manual or static entries where include the web-filter )?

 

We know in the flow or life of the packet, it has to look at layer3 route, policy, and security profile to determine what we inspect, but if you had app-control and url filtering and use a mask url, I think app-control would be the  final trump.

 

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/life_of_packet....

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vjoshi_FTNT
Staff
Staff

My understanding was wrong.

 

The correct flow of the UTM sequence is :

 

IPS > App Control > Email Filtering > Web Filtering > AV

 

 

 

mramon79
New Contributor

Hi,

 

 The Fortigate Documents about traffic flow  indicate that Webfilter acts before Applifilter...but this in only truth in firewall mode, if you use the Fortigate in explicit proxy mode the applifilter goes first.

I Opened a ticket to the support and after show them i was completely right, i suggested to modify the Official Documentation but i think they are not going to to that.

 

Regards

 

FortiAdam

@mramon79 shared some important info to keep in mind for this topic.  Here is the latest "life of a packet" document from Fortinet but I'm guessing they didn't include his suggested edits.  http://docs.fortinet.com/...igate-life-of-a-packet

kcerb
New Contributor III

FGT60B, FGT100A, FGT100D
Labels
Top Kudoed Authors