Understanding the application control

fortinetforumfiokom · ‎05-04-2024

Hello.

I'm a bit confused about using application control in a firewall policy in profile-based vdom.

(Fortigate 81F, 7.4.3)

I use the following network design as an example:

One LAN and one WAN interface, the DNS and the ROUTING is set up and working. In the LAN interface I use DHCP server. In LAN side the DNS name resolution is works.

I have set the following firewall rules:

"4" rule - Deny QUIC (UDP 80,443) / I do not whant to allow for the "2" rule to use QUIC.

"5","2" rules - Enabled Internet services

"1" rule - Allow evreyone internet access and ping (HTTP, HTTPS, PING)

If I do not want to block any applications then what is the point of using application control ("monitor" or "allow") in the "1" rule. What is the difference between "monitor" and "allow"? In both cases, the applications witch runs on HTTP and HTTPS will work. When I use the "monitor" settings then I will have a log entry in Securtity Events/Apllication control logs and when I use "allow" settings then not? That's all? What's the difference between setting application control on a firewall policy with alow and not setting up application control at all?

With the above rules the VIBER windows desktop application sometimes works sometimes not. I tried to add an appication control to the "1" rule with alowing viber, but it still dos not work well (could not send pictures).

The Viber tells you that for "Rakuten Viber desktop to run on your computer, the following ports must be open for all addresses for both TCP and UDP to enable the following ports : 80,443,4244,5243,5243,7985."

In application control I see this:

So in rule "1" I should allow all TCP ports from 1024 upwards? So I almost allow everything? Or, only add the ports recommended by viber.

Thanks everyone.

AEK · ‎05-04-2024

Hi

Is Viber desktop and Viber mobile the same? Do they use the same ports? Do they have the same application signatures?

Sorry to respond with other question, that's because I think these are questions to ask if you want to respond to your questions.

Application signatures are useful to identify applications because today so many applications share the same ports, for example as you know 443 was used only by browsers but today is used by thousands applications, so allowing 443 does not make sense anymore.

AEK

fortinetforumfiokom · ‎05-05-2024

Hi @AEK,

there is only one Viber application signatur on fortigate and I'm only interested in the desktop app. About the ports: I only found the two pieces of information I wroted (according to Viber and according to Fortigate application control).

Yes, it can be very useful to know what applications are running on ports. You can "block" the categories you don't want and override olny the ones you do or you "allow", "monitor" the categories and "block" in override what you do not want. If you just want to know what's going through, you can turn on "monitor". Using "allow" and "monitor" in override only makes sense if you have blocked a category before. Somehow I thought that with "allow" fortigate would open the extra ports in the session that the application needs (like a helper).

If I don't "block" application categories, then the application control has no bearing on whether Viber works or not.

I found out that if I turn on the deep inspection on the "1" rule the viber doesn't work well, if I turn it off it does. Which finger to bite.

AEK · ‎05-05-2024

Hi @fortinetforumfiokom

In my experience application control doesn't always work at 100%. You sometimes have to tune it a bit so it works fine. So if it works for you with certificate inspection and doesn't work with deep inspection than just leave is with certificate inspection as long as you don't need deep inspection for viber.

AEK

fortinetforumfiokom · ‎05-06-2024

Hi @AEK

Unfortunately I cannot create a separate rule olny for VIBER. To my knowledge, you cannot create a rule for applications in "profile-based" vdom. (In "policy-based" mode maybe you can, but I would not like to use it for several reasons).

If I allow http and https traffic from lan to wan for everyone in a rule, it will include everything from "viber" to all applications that use these ports.

hbac · ‎05-06-2024

Hi @fortinetforumfiokom,

Based on the screenshot, I don't see application control being enabled in the policies. Additionally, policy 1 doesn't allow ports 4244,5243,5243,7985.

Regards,

fortinetforumfiokom · ‎05-06-2024

Hi @hbac, yes you right.

My main system has a own rule that allows these ports without depp inspection, but Viber still doesn't always work. If I disable deep inspection in HTTP and HTTPS, it works, otherwise it sometimes works and sometimes not.

For some reason I thought I could solve this Viber problem with application control, but I can see now that this is not the solution. If I can't create a separate rule for VIBER, like choosing Internet service for Office 365 traffic, I can't do it this way.

I would still like to know the answers to the questions in my original post first part.