Web Filtering

DO NOT REPRINT
© FORTINET

Category-based filtering requires a live connection to FortiGuard.

You can verify the connection to FortiGuard servers by running the diagnose debug rating CLI
command. This command displays a list of FortiGuard servers you can connect to, as well as the following
information:
• Weight: Based on the difference in time zone between FortiGate and this server (modified by traffic)
• RTT: Return trip time
• Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
• TZ: Server time zone
• FortiGuard-requests: The number of requests sent by FortiGate to FortiGuard
• Curr Lost: Current number of consecutive lost FortiGuard requests (in a row, resets to 0 when one
packet succeeds)
• Total Lost: Total number of lost FortiGuard requests

The list is of variable length depending on the FortiGuard Distribution Network.

FortiGate Security 7.0 Study Guide 421

 Web Filtering

DO NOT REPRINT
© FORTINET

FortiGate can maintain a list of recent website rating responses in memory. So, if the URL is already known,
FortiGate doesn’t send back a rating request.

By default, FortiGate is configured to enforce the use of HTTPS port 443 to perform live filtering with
FortiGuard or FortiManager. Other ports and protocols are available by disabling the FortiGuard anycast
setting on the CLI. These ports and protocols to query the servers (FortiGuard or FortiManager) HTTPS port
53 and port 8888, UDP port 443, port 53, and port 8888. If you are using UDP port 53, any kind of inspection
reveals that this traffic is not DNS and prevents the service from working. In this case, you can switch to the
alternate UDP port 443 or port 8888, or change the protocol to HTTPS, but these ports are not guaranteed to
be open in all networks, so you must check beforehand.

Caching responses reduces the amount of time it takes to establish a rating for a website. Also, memory
lookup is much quicker than packets travelling on the internet.

The timeout defaults to 15 seconds, but you can set it as high as 30 seconds, if necessary.

FortiGate Security 7.0 Study Guide 422

 Web Filtering

DO NOT REPRINT
© FORTINET

Now, take a look at the web filter log and report feature.

This slide shows an example of a log message. Access details include information about the FortiGuard quota
and category (if those are enabled), which web filter profile was used to inspect the traffic, the URL, and more
details about the event.

You can also view the raw log data by clicking the download icon at the top of the GUI. The file downloaded is
a plain text file in a syslog format.

FortiGate Security 7.0 Study Guide 423

 Web Filtering

DO NOT REPRINT
© FORTINET

FortiGate Security 7.0 Study Guide 424

 Web Filtering

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in the lesson.

FortiGate Security 7.0 Study Guide 425

 Web Filtering

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure web filtering on FortiGate to
control web traffic in your network.

FortiGate Security 7.0 Study Guide 426

 Application Control

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to monitor and control network applications that may use standard or non-
standard protocols and ports—beyond simply blocking or allowing a protocol, port number, or IP address.

FortiGate Security 7.0 Study Guide 427

 Application Control

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiGate Security 7.0 Study Guide 428

 Application Control

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in application control basics, you will be able to understand how application
control works on FortiGate.

FortiGate Security 7.0 Study Guide 429

 Application Control

DO NOT REPRINT
© FORTINET

Application control detects applications—often applications that consume a lot of bandwidth—and allows you
to take appropriate action related to application traffic, such as monitoring, blocking, or applying traffic
shaping.

Application control identifies applications, such as Google Talk, by matching known patterns to the
application’s transmission patterns. Therefore, an application can be accurately identified, only if its
transmission pattern is unique. However, not every application behaves in a unique way. Many applications
reuse pre-existing, standard protocols and communication methods. For example, many video games, such
as World of Warcraft, use the BitTorrent protocol to distribute game patches.

Application control can be configured in proxy-based and flow-based firewall policies. However, because
application control uses the IPS engine, which uses flow-based inspection, inspection is always flow-based.
By comparison, when applying web filtering and antivirus through an HTTP proxy, the proxy first parses HTTP
and removes the protocol, and then scans only the payload inside.

Why does FortiGate use a flow-based scan for application control?

Unlike other forms of security profiles, such as web filtering or antivirus, application control is not applied by a
proxy. It uses an IPS engine to analyze network traffic and detect application traffic, even if the application is
using standard or non-standard protocols and ports. It doesn’t operate using built-in protocol states. It
matches patterns in the entire byte stream of the packet, and then looks for patterns.

FortiGate Security 7.0 Study Guide 430

 Application Control

DO NOT REPRINT
© FORTINET

When HTTP and other protocols were designed, they were designed to be easy to trace. Because of that,
administrators could easily give access to single servers behind NAT devices, such as routers and, later,
firewalls.

But when P2P applications were designed, they had to be able to work without assistance—or cooperation—
from network administrators. In order to achieve this, the designers made P2P applications able to bypass
firewalls and incredibly hard to detect. Port randomization, pinholes, and changing encryption patterns are
some of the techniques that P2P protocols use.

These techniques make P2P applications difficult to block using a firewall policy, and also make them difficult
to detect by proxy-based inspection.

Flow-based inspection using the IPS engine can analyze packets for pattern matching, and then look for
patterns to detect P2P applications.

FortiGate Security 7.0 Study Guide 431

 Application Control

DO NOT REPRINT
© FORTINET

This slide shows a traditional, client-server architecture. There may be many clients of popular sites, but often,
such as with an office file server, it’s just one client and one server.

Traditional downloads use a defined protocol over a standard port number. Whether it’s from a web or FTP
site, the download is from a single IP address, to a single IP address. So, blocking this kind of traffic is easy:
you only need one firewall policy.

But, it’s more difficult to block traffic from peer-to-peer downloads. Why?

FortiGate Security 7.0 Study Guide 432

 Application Control

DO NOT REPRINT
© FORTINET

Peer-to-peer (P2P) downloads divide each file among multiple (theoretically unlimited) peers. Each peer
delivers part of the file. While having many clients is a disadvantage in client-server architectures, it is an
advantage for P2P architecture because, as the number of peers increases to n, the file is delivered n times
faster.

Because popularity increases the speed of delivery—unlike traditional client-server architecture where
popularity could effectively cause a denial of service (DoS) attack on the server—some software, such as
BitTorrent distributions of Linux, and games distributing new patches, leverage this advantage. Even if each
client has little bandwidth, together they can offer more bandwidth for the download than many powerful
servers.

Consequently, in order to download the file, the requesting peer can consume much more bandwidth per
second than it would from only a single server. Even if there is only one peer in your network, it can consume
unusually large amounts of bandwidth. Because the protocols are usually evasive, and there will be many
sessions to many peers, they are difficult to completely block.

FortiGate Security 7.0 Study Guide 433

 Application Control

DO NOT REPRINT
© FORTINET

Before you try to control applications, it’s important to understand the signatures used by application control.

How does application control detect the newest applications and changes to application protocols?

Application control requires a subscription to FortiGuard application control. The database for application
control signatures is separate from the intrusion prevention system (IPS) database. You can configure
FortiGate to automatically update its application control signature database on the FortiGuard page. The
application control signature database information is also displayed on the FortiGuard page.

FortiGate Security 7.0 Study Guide 434

 Application Control

DO NOT REPRINT
© FORTINET

You can view the latest version of the application control database on the FortiGuard website, or by clicking
an individual application signature in the application control profile.

The application control database provides details about application control signatures based on category,
popularity, and risk, to name a few.

When building an application control signature, the FortiGuard security research team evaluates the
application and assigns a risk level. The assigned risk level is based on the type of security risk. The rating is
Fortinet-specific, and not related to the common vulnerability scoring system (CVSS) or other external
systems. If you aren’t aware of the specific application, this information can help you to decide if it would be
wise to block an application or not.

On the FortiGuard website, you can read details about each signature’s related application.

On this slide, you can see an example article for Tor is a web proxy, so it belongs in the proxy category. It is a
good practice to create test policies that you can use to observe policy behavior.

If there are new applications that you need to control, and the latest update doesn't include definitions for
them, you can go to the FortiGuard website and submit a request to have the new applications added. You
can also submit a request to re-evaluate an application category, if you believe an application should belong
to a different category.

FortiGate Security 7.0 Study Guide 435

 Application Control

DO NOT REPRINT
© FORTINET

Many web applications offer functionality that can be embedded in third-party websites or applications. For
example, you can embed a Facebook Like button at the end of an article or reference a YouTube video on an
educational website. FortiOS gives administrators all the tools they need to inspect sub-application traffic. The
FortiGuard application control signature database is organized in a hierarchical structure. This gives you the
ability to inspect the traffic with more granularity. You can block Facebook apps while allowing users to
collaborate using Facebook chat.

FortiGate Security 7.0 Study Guide 436

 Application Control

DO NOT REPRINT
© FORTINET

FortiGate Security 7.0 Study Guide 437

 Application Control

DO NOT REPRINT
© FORTINET

Good job! You now understand basic application control functionality.

Now, you will learn about application control configuration.

FortiGate Security 7.0 Study Guide 438

 Application Control

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring the application control operation modes that are available on
FortiOS, you will be able to use application control effectively in both profile mode and NGFW policy mode.

FortiGate Security 7.0 Study Guide 439

 Application Control

DO NOT REPRINT
© FORTINET

When FortiGate or a VDOM is operating in flow-based (NGFW mode set to profile-based, policy set to flow-
based) inspection mode or policy set to proxy-based inspection mode, to configure application control,
administrators must create an application control profile and apply that profile to a firewall policy.

It is important to note that the application control profile uses flow-based scanning techniques, regardless of
which inspection mode is used on the policy.

The application control profile consists of three different types of filters:

• Categories: Groups applications based on similarity. For example, all applications that are capable of
providing remote access are grouped in the Remote Access category. You can view the signatures of all
applications in a category or apply an action to a category as a whole.
• Application overrides: Provides the flexibility to control specific signatures and applications.
• Filter overrides: Useful when a predefined category does not meet your requirements and you want to
block all applications based on criteria that is not available in categories. You can configure the
categorization of applications based on behavior, popularity, protocol, risk, vendor, or the technology used
by the applications, and take action based on that.

FortiGate Security 7.0 Study Guide 440

 Application Control

DO NOT REPRINT
© FORTINET

The application control profile is configured on the Application Control page. You can configure actions
based on categories, application overrides, and filter overrides. You can also view the list of application
control signatures by clicking View Application Signatures.

At the top of the Application Control profile page, you will see a summary of how many cloud applications
require deep inspection. Cloud applications that use SSL encryption cannot be scanned without a deep
inspection profile. FortiGate must decrypt the traffic in order to perform inspection and control application
traffic.

The Unknown Applications setting matches traffic that can’t be matched to any application control signature
and identifies the traffic as unknown application in the logs. Factors that contribute to traffic being
identified as unknown application include:

• How many rare applications your users are using

• Which IPS database version you are using

Identifying traffic as unknown can cause frequent log entries. Frequent log entries decrease performance.

FortiGate Security 7.0 Study Guide 441

 Application Control

DO NOT REPRINT
© FORTINET

The number listed to the right of the cloud symbol indicates the number of cloud applications within a specified
category.

If you need to enable Allow and Log DNS Traffic, you should enable it only for short periods, such as during
an investigation. Depending on the application and how often it queries DNS servers, enabling this setting can
use significant system resources.

QUIC is a protocol from Google. Instead of using the standard TCP connections for web access, QUIC uses
UDP, which is not scanned by web filtering. Allowing QUIC instructs FortiGate to inspect Google Chrome
packets for a QUIC header, and generate logs as a QUIC message. Blocking QUIC forces Google Chrome to
use HTTP2/TLS1.2 and FortiGate to log QUIC as blocked. The default action for QUIC is Block.

The Replacement Messages for HTTP-based Applications setting allows you to replace blocked content
with an explanation (for the user’s benefit). However, for non-HTTP/HTTPS applications, you can only drop
the packets or reset the TCP connection.

After you’ve configured the application control profile, select the profile in the firewall policy. Like any other
security profile, the settings you configure in the application control profile are not applied globally. FortiGate
applies the application control profile settings only to traffic governed by the firewall policy in which you’ve
selected the application control profile. This allows granular control.

FortiGate Security 7.0 Study Guide 442

 Application Control

DO NOT REPRINT
© FORTINET

Protocol enforcement is added to the application control profile, allowing the administrator to configure
network services (for example, FTP, HTTP, and HTTPS) on known ports (for example, 21, 80, and 443), while
blocking those services on other ports.

The feature takes action in the following scenarios:

• When one protocol dissector confirms the service of network traffic, protocol enforcement can check
whether the confirmed service is whitelisted under the server port. If it is not, then the traffic is considered a
violation and IPS can take the action (for example, block) specified in the configuration.
• There is no confirmed service for network traffic. It would be considered a service violation if IPS dissectors
rule out all the services enforced under its server port.

FortiGate Security 7.0 Study Guide 443

 Application Control

DO NOT REPRINT
© FORTINET

The IPS engine examines the traffic stream for a signature match.

Then, FortiGate scans packets for matches, in this order, for the application control profile:
1. Application and filter overrides: If you have configured any application overrides or filter overrides, the
application control profile considers those first. It looks for a matching override starting at the top of the
list, like firewall policies.
2. Categories: Finally, the application control profile applies the action that you’ve configured for applications
in your selected categories.

FortiGate Security 7.0 Study Guide 444

 Application Control

DO NOT REPRINT
© FORTINET

In the example profile shown on this slide, the application control profile blocks the Game and Video/Audio
categories. For applications in these categories, FortiGate responds with the application control HTTP block
message. (It is slightly different from the web filtering HTTP block message.) All other categories are set to
Monitor, except Unknown Applications, and are allowed to pass traffic.

In the Application and Filter Overrides section, you can see that some exceptions are specified. Instead of
being set to Block, Battle.Net (Game) and Dailymotion (Video/Audio) are set to Monitor. Because
application overrides are applied first in the scan, these two applications are allowed, and generate logs.

Next, the scan checks for Application and Filter Overrides. Because a filter override is configured to block
applications that use excessive bandwidth, it blocks all applications using excessive bandwidth, regardless of
categories that allow these applications.

This slide shows an example of how several security profile features could work together, overlap, or work as
substitutes, on the same traffic.

After the application control profile scan is done, FortiGate begins other scans, such as web filtering. The web
filtering scan could block Battle.Net and Dailymotion, but it would use its own block message. Also, web
filtering doesn’t check the list of application control overrides. So, even if an application control override allows
an application, web filtering could still block it.

Similarly, static URL filtering has its own exempt action, which bypasses all subsequent security checks.
However, application control occurs before web filtering, so that the web filtering exemption cannot bypass
application control.

FortiGate Security 7.0 Study Guide 445

 Application Control

DO NOT REPRINT
© FORTINET

In the example profile shown on this slide, the filter override has been moved above the application override.
In this scenario, the filter override (Excessive-Bandwidth) is blocked and, since Dailymotion falls under the
excessive bandwidth category, Dailymotion is blocked even though it is set to Monitor under the Application
and Filter Overrides section.

The priority in which application and filter overrides are placed takes precedence.

FortiGate Security 7.0 Study Guide 446

 Application Control

DO NOT REPRINT
© FORTINET

For each filter in the application control profile, you must indicate an action—what FortiGate does when traffic
matches. Actions include the following:
• Allow: Passes the traffic and does not generate a log
• Monitor: Passes the traffic, but also generates a log message
• Block: Drops the detected traffic and generates a log message
• Quarantine: Blocks the traffic from an attacker IP until the expiration time is reached and generates a log
message

The View Signature action allows you to view signatures from a particular category only and is not a
configurable action. The View Cloud Signatures action allows you to view application signatures for cloud
applications from a particular category.

Which is the correct action to choose?

If you’re not sure which action to choose, Monitor can be useful initially, while you study your network. Later,
after you have studied your network traffic, you can fine-tune your filter selection by choosing the most
appropriate action. The action you choose also depends on the application. If an application requires feedback
to prevent instability or other unwanted behavior, then you might choose Quarantine instead of Block.
Otherwise, the most efficient use of FortiGate resources is to block.

FortiGate Security 7.0 Study Guide 447

 Application Control

DO NOT REPRINT
© FORTINET

After you configure an application control profile, you must apply it to a firewall policy. This instructs FortiGate
to start scanning application traffic that is subject to the firewall policy.

FortiGate Security 7.0 Study Guide 448

 Application Control

DO NOT REPRINT
© FORTINET

For HTTP-based applications, application control can provide feedback to the user about why their application
was blocked. This is called a block page, and it is similar to the one you can configure for URLs that you block
using FortiGuard web filtering.

It is also worth mentioning that, if deep inspection is enabled in the firewall policy, all HTTPS-based
applications provide this block page.

The block page contains the following information:

• Signature that detected the application (in this case, Dailymotion)
• Signature’s category (Video/Audio)
• URL that was specifically blocked (in this case, the index page of www.dailymotion.com), since a web
page can be assembled from multiple URLs
• User name (if authentication is enabled)
• Group name (if authentication is enabled)
• UUID of the policy governing the traffic

The last item in this list can help you to identify which policy on FortiGate blocked the page, even if you have a
large number of policies with many FortiGate devices securing different segments.

FortiGate Security 7.0 Study Guide 449

 Application Control

DO NOT REPRINT
© FORTINET

When FortiGate is operating in NGFW policy-based mode, administrators can apply application control to a
security policy directly, instead of having to create an application control profile first, and then apply that to a
firewall policy. Eliminating the need to use an application control profile makes it easier for the administrator to
select the applications or application categories they want to allow or deny in the firewall policy.

It is important to note that all security policies in an NGFW policy-based mode VDOM or FortiGate must
specify an SSL/SSH inspection profile on a consolidated policy. NGFW policy-based mode also requires the
use of central source NAT (SNAT), instead of NAT settings applied within the firewall policy.

FortiGate Security 7.0 Study Guide 450

 Application Control

DO NOT REPRINT
© FORTINET

You can select one or more applications, application groups, and application categories on a security policy in
the Application section. After you click the + icon for an application, a pop-up window opens. In that window,
you can search for and select one or more application signatures, application groups, or application
categories. Based on the applications, groups, and application categories applied to the policy, FortiOS
applies the security action to the application traffic.

You can configure the URL Category within the same security policy; however, adding a URL filter causes
application control to scan applications in only the browser-based technology category, for example,
Facebook Messenger on the Facebook website.

You can also configure the Group with multiple applications and application categories. This allows the
administrator to mix multiple applications and categories.

In addition to applying a URL category filter, you can also apply AntiVirus and IPS security profiles to
application traffic that is allowed to pass through.

FortiGate Security 7.0 Study Guide 451

 Application Control

DO NOT REPRINT
© FORTINET

FortiOS uses a three-step process to perform NGFW policy-based application filtering. Here is a brief
overview of what happens at each step.

In step 1, FortiOS allows all traffic while forwarding packets to the IPS engine for inspection and identification
of the traffic. At the same time, FortiOS creates an entry in the session table allowing the traffic to pass and it
adds a may_dirty flag to it.

In step 2, as soon as the IPS engine identifies the application, it updates the session entry with the following
information: dirty flag, app_valid flag, and an application ID.

In step 3, the FortiOS kernel performs a security policy lookup again, to see if the identified application ID is
listed in any of the existing security policies. This time the kernel uses both Layer 4 and Layer 7 information
for policy matching. After the criteria matches a firewall policy rule, the FortiOS kernel applies the action
configured on the security policy to the application traffic.

FortiGate Security 7.0 Study Guide 452

 Application Control

DO NOT REPRINT
© FORTINET

Configuring application control in NGFW policy-based mode is simple. You can create a new security policy or
edit an existing security policy. In the Application section, select the applications, categories, or groups that
you want to allow or deny, and change the security policy Action accordingly. On applications that you
selected to allow, you can further enhance network security by enabling antivirus scanning and IPS control.
You can also enable the logging of Security Events or All Sessions to ensure that all application control
events are logged.

FortiGate Security 7.0 Study Guide 453

 Application Control

DO NOT REPRINT
© FORTINET

You must have a matching central SNAT policy in NGFW policy-based mode to be able to pass traffic. NAT is
applied on the traffic based on criteria defined in the central SNAT policy.

It is extremely important to arrange security policies so that the more specific policies are located at the top to
ensure proper use of application control.

A default SSL Inspection & Authentication policy is defined to inspect traffic accepted by any of the security
firewalls, and by using the certificate-inspection SSL inspection profile.

FortiGate Security 7.0 Study Guide 454

 Application Control

DO NOT REPRINT
© FORTINET

NGFW policy matching works using a top-to-bottom approach. You must have a specific policy above a more
broad or open policy. For example, if you would like to block Facebook but allow the Social.Media category,
you must place the policy blocking Facebook traffic above the policy allowing the Social.Media category.

FortiGate Security 7.0 Study Guide 455

 Application Control

DO NOT REPRINT
© FORTINET

If an application is necessary, but you must prevent it from impacting bandwidth then, instead of blocking it
entirely, you can apply a rate limit to the application. For example, you can rate limit applications used for
storage or backup leaving enough bandwidth for more sensitive streaming applications, such as video
conferencing.

Applying traffic shaping to applications is very useful when you’re trying to limit traffic that uses the same TCP
or UDP port numbers as mission-critical applications. Some high-traffic web sites, such as YouTube, can be
throttled in this way.

Examine the details of how throttling works. Not all URL requests to www.youtube.com are for video. Your
browser makes several HTTPS requests for:
• The web page itself
• Images
• Scripts and style sheets
• Video

All of these items have separate URLs. If you analyze a site like YouTube, the web pages themselves don’t
use much bandwidth; it is the video content that uses the most bandwidth. But, since all content is transported
using the same protocol (HTTPS), and the URLs contain dynamically generated alphanumeric strings,
traditional firewall policies can't block or throttle the traffic by port number or protocol because they are the
same. Using application control, you can rate limit only videos. Doing this prevents users from saturating your
network bandwidth, while still allowing them to access the other content on the site, such as for comments or
sharing links.

FortiGate Security 7.0 Study Guide 456

 Application Control

DO NOT REPRINT
© FORTINET

You can limit the bandwidth of an application category, application group, or specific application by configuring
a traffic shaping policy. You can also apply traffic shaping to FortiGuard web filter categories and to the
application group.

You must ensure that the matching criteria aligns with the firewall policy or policies to which you want to apply
shaping. It does not have to match outright. For example, if the source in the firewall policy is set to all
(0.0.0.0/0.0.0.0), you can set the source in the traffic shaping policy to any source that is included in all,
for example, LOCAL_SUBNET (10.0.1.0/24).

If the traffic shaping policy is not visible in the GUI, you can enable it on the Feature Visibility page.

There are two types of shapers that you can configure on the Traffic Shaping Policy page, and you can
apply them in the traffic shaping policy:
• Shared shaper: applies a total bandwidth to all traffic using that shaper. The scope can be per policy or for
all policies referencing that shaper.
• Per-IP shaper: applies traffic shaping to all source IP addresses in the security policy. Bandwidth is
equally divided among the group.

Note that the outgoing interface is usually the egress interface (WAN). The Shared shaper setting is applied
to ingress-to-egress traffic, which is useful for restricting bandwidth for uploading. The Reverse Shaper
setting is also a shared shaper, but it is applied to traffic in the reverse direction (egress-to-ingress traffic).
This is useful for restricting bandwidth for downloading or streaming, because it limits the bandwidth from the
external interface to the internal interface.

FortiGate Security 7.0 Study Guide 457

 Application Control

DO NOT REPRINT
© FORTINET

FortiGate Security 7.0 Study Guide 458

 Application Control

DO NOT REPRINT
© FORTINET

Good job! You now understand application control configuration.

Now, you will learn about logging and monitoring application control events.

FortiGate Security 7.0 Study Guide 459

 Application Control

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in application control configuration, including reviewing application control logs,
you will be able to effectively use and monitor application control events.

FortiGate Security 7.0 Study Guide 460

 Application Control

DO NOT REPRINT
© FORTINET

Regardless of which operation mode application control is configured in, you must enable logging on the
security or firewall policy. When you enable the logging of security events or all sessions on a security or
firewall policy, application control events are also logged. You must apply application control to the security or
firewall policy to enable application control event logging.

When the Deny action is selected on a security or firewall policy, you must enable the Log Violations option
to generate application control events for blocked traffic.

FortiGate Security 7.0 Study Guide 461

 Application Control

DO NOT REPRINT
© FORTINET

All application control events are logged on the Application Control pane on the Log & Report page. You
can view details about individual logs by clicking on the log entry.

In the example shown on this slide, access to Dailymotion is blocked using the default application control
profile. This information is available in the Log Details section, as well as information about the log source,
destination, application, and action.

Note that this log message was generated by application control using a profile-based configuration. In an
NGFW policy-based configuration, you will not find information such as application sensor name, because it
does not apply. The remainder of the information and structure of the log message is the same for each log,
regardless of which inspection mode FortiGate is operating in.

You can also view the details on the Forward Traffic logs pane. This pane is where firewall policies record
activity. You can also find a summary of the traffic to which FortiGate applied application control. Again, this is
because application control is applied by a firewall policy. To find out which policy applied application control,
you can review either the Policy ID or the Policy UUID fields of the log message.

FortiGate Security 7.0 Study Guide 462

 Application Control

DO NOT REPRINT
© FORTINET

On the Dashboard menu, the Top Applications standalone page provides details about each application,
such as the application name, category, and bandwidth. You can drill down further to see more granular
details by double-clicking an individual log entry. The detailed view provides information about the source,
destination, policies, or sessions for the selected application.

FortiGate Security 7.0 Study Guide 463

 Application Control

DO NOT REPRINT
© FORTINET

FortiGate Security 7.0 Study Guide 464

 Application Control

DO NOT REPRINT
© FORTINET

Good job! You now understand application control logging and monitoring.

Now, you will learn about application control best practices and troubleshooting.

FortiGate Security 7.0 Study Guide 465

 Application Control

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in application control best practices and troubleshooting, you will be able to
configure and maintain an effective application control solution.

FortiGate Security 7.0 Study Guide 466

 Application Control

DO NOT REPRINT
© FORTINET

This slide lists some best practices to keep in mind when implementing application control on FortiGate.

Not all traffic requires an application control scan. Don’t apply application control to internal-only traffic.

To minimize resource use on FortiGate, be as specific as possible when creating firewall policies. This
reduces resource use, and also helps you build a more secure firewall configuration.

Create identical firewall policies for all redundant internet connections, to ensure that the same inspection is
performed on failover traffic. Select Deep-Inspection instead of Certificate-based inspection for the
SSL/SSH inspection mode, to ensure content inspection is performed on encryption protocols.

FortiGate models that feature specialized chips, such as network processors and content processors, can
offload and accelerate application signature matching for enhanced performance.

You can use a FortiCloud account to save and view application control logs in FortiView, on FortiGate devices
that do not have a log disk.

FortiGate Security 7.0 Study Guide 467

 Application Control

DO NOT REPRINT
© FORTINET

If you are experiencing issues with a FortiGuard application control update, start troubleshooting the issue
with the most basic steps:
• Make sure that FortiGate has a stable connection to the internet or FortiManager (if FortiGate is configured
to receive updates from FortiManager)
• If the internet connection is stable, check DNS resolution on FortiGate
• If FortiGate is installed behind a network firewall, make sure that port443 is being allowed from FortiGate

You can check the FortiGuard website for the latest version of the application control database. If your locally
installed database is out-of-date, try forcing FortiGate to check for the latest updates by running the execute
update-now command.

FortiGate Security 7.0 Study Guide 468

 Application Control

DO NOT REPRINT
© FORTINET

FortiGate Security 7.0 Study Guide 469

 Application Control

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you’ll review the objectives that you covered in this lesson.

FortiGate Security 7.0 Study Guide 470

 Application Control

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to use methods beyond simply blocking
protocols, port numbers, or IP addresses, to monitor and control both standard and non-standard network
applications.

FortiGate Security 7.0 Study Guide 471

 Antivirus

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to use FortiGate to protect your network against viruses.

FortiGate Security 7.0 Study Guide 472

 Antivirus

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiGate Security 7.0 Study Guide 473

 Antivirus

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in antivirus basics, you will be able to understand and apply antivirus on
FortiGate.

FortiGate Security 7.0 Study Guide 474

 Antivirus

DO NOT REPRINT
© FORTINET

An antivirus is a database of virus signatures that is used to identify infections. During an antivirus scan, in
order to be detected as a virus, the virus must match a defined pattern called a signature.

Different vendors assign different names to the same virus. All vendors use the attack vector designation in
the virus name. The vector comes at the beginning of the virus name. Some examples include:
• W32, which represents 32-bit Windows
• W64, which represents 64-bit Windows
• JS, which represents JavaScript (which is cross-platform)

Some vendors also use a pattern as part of the virus name. Some patterns detect only one virus per pattern.
Other patterns are more flexible and can detect multiple viruses per pattern. The pattern that the vendor uses
depends on the vendor’s engine.

Host-based antivirus software, such as FortiClient, can help at the host level; however, host-based antivirus
software cannot be installed on routers. Also, guest Wi-Fi networks and ISP customers might not have
antivirus software installed.

So, how can you protect guest networks, ISP customers, and your own network from malware threats?

FortiGate Security 7.0 Study Guide 475

 Antivirus

DO NOT REPRINT
© FORTINET

Like viruses, which use many methods to avoid detection, FortiGate uses many techniques to detect viruses.
These detection techniques include:
• Antivirus scan: This is the first, fastest, simplest way to detect malware. It detects viruses that are an exact
match for a signature in the antivirus database.
• Grayware scan: This scan detects unsolicited programs, known as grayware, that have been installed
without the user’s knowledge or consent. Grayware is not technically a virus. It is often bundled with
innocuous software, but does have unwanted side effects, so it is categorized as malware. Often, grayware
can be detected with a simple FortiGuard grayware signature.
• Machine learning (AI) scan: These scans are based on probability, so they increase the possibility of false
positives, but they also detect zero-day attacks. Zero-day attacks are malwares that are new, unknown,
and, therefore, have no existing associated signature. If your network is a frequent target, enabling an AI
scan may be worth the performance cost because it can help you to detect a virus before the outbreak
begins. By default, when the AI engine detects a new virus, it logs the file as Suspicious but does not
block it. You can choose whether to block or allow suspicious files.

The AI scan is an optional feature that must be enabled in the CLI. You can configure the action for the AI
scan to enable, monitor, or disable using the CLI command in the antivirus settings.

If all antivirus features are enabled, FortiGate applies the following scanning order: antivirus scan, followed by
grayware scan, followed by AI scan.

FortiGate Security 7.0 Study Guide 476

 Antivirus

DO NOT REPRINT
© FORTINET

What if AI scans are too uncertain? What if you need a more sophisticated, more certain way to detect
malware and find zero-day viruses?

You can integrate your antivirus scans with either FortiSandbox Cloud or a FortiSandbox appliance. Note you
will need to enable cloud sandboxing on the CLI under system global settings for configuration options to
appear on GUI . For environments that require more certainty, FortiSandbox executes the file within a
protected environment (VMs), then examines the effects of the software to see if it is dangerous.

For example, let’s say you have two files. Both alter the system registry and are, therefore, suspicious. One is
a driver installation—its behavior is normal—but the second file installs a virus that connects to a botnet
command and control server. Sandboxing would reveal the difference.

FortiGate can be configured to receive a supplementary signature database from FortiSandbox based on the
sandboxed results.

FortiGate Security 7.0 Study Guide 477

 Antivirus

DO NOT REPRINT
© FORTINET

FortiOS is smart when it comes to determining what files are sent to FortiSandbox. One feature FortiOS uses
for this is content disarm and reconstruction (CDR), a proxy-based feature that you will learn more about later.
When CDR processes files, the original documents can be saved to FortiSandbox.

FortiGuard provides FortiGate with information based on the current threat climate that is used to determine if
a file should be deemed suspicious or not. FortiGate provides the administrator with granular control when it
comes to determining what type of files are sent to FortiSandbox for further investigation. Administrators also
have the option to use the FortiSandbox database in conjunction with the FortiGuard antivirus database to
enhance their network security.

FortiGate Security 7.0 Study Guide 478

 Antivirus

DO NOT REPRINT
© FORTINET

Scheduled updates allow you to configure scheduled updates at regular intervals, such as hourly, daily,
weekly, or automatically within every hour. You can also enable AntiVirus PUP/PUA, which allows antivirus
grayware checks for potentially unwanted programs and applications.

Regardless of which method you select, you must enable virus scanning in at least one firewall policy.
Otherwise, FortiGate will not download any updates. Alternatively, you can download packages from the
Fortinet customer service and support website (requires subscription), and then manually upload them to your
FortiGate. You can verify the update status and signature versions from the FortiGuard page on the GUI or
using the CLI console.

FortiGate Security 7.0 Study Guide 479

 Antivirus

DO NOT REPRINT
© FORTINET

Multiple FortiGuard antivirus databases exist, which you can configure using CLI commands. Support for each
database type varies by FortiGate model.

All FortiGate devices include the extended database. The extended database contains signatures for viruses
that have been detected in recent months, as identified by the FortiGuard Global Security Research Team.
The extended database also detects viruses that are no longer active.

The extreme database is intended for use in high-security environments. The extreme database detects all
known viruses, including viruses targeted at legacy operating systems that are no longer widely used. Most
FortiGate models support the extreme database.

FortiGate Security 7.0 Study Guide 480

 Antivirus

DO NOT REPRINT
© FORTINET

Content disarm and reconstruction (CDR): The CDR removes exploitable content and replaces it with content
that's known to be safe. As files are processed through an enabled antivirus profile, content that's found to be
malicious or unsafe is replaced with content that allows the traffic to continue, but doesn't put the recipient at
risk. Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-
supported protocols (such as HTTP, SMTP, IMAP, and POP3—MAPI isn't supported). When the client tries to
download the file, FortiGate removes all exploitable content in real-time, then the original file is sent to
FortiSandbox for inspection. The client can download the original file by logging in to the FortiSandbox.

Virus outbreak prevention: An additional layer of protection that keeps your network safe from newly emerging
malware. Quick virus outbreaks can infect a network before signatures can be developed to stop them.
Outbreak protection stops these virus outbreaks until signatures become available in FortiGuard. FortiGate
must have a zero-hour virus Outbreak (ZHVO) license. FortiGate adds hash-based virus detection for new
threats that are not yet detected by the antivirus signatures. When the file is sent to the scanunit deamon,
buffers are hashed and a request is sent to the urlfilter deamon. After checking against its request cache for
known signatures, the urlfilter deamon sends an antivirus request to FortiGuard with the remaining signatures.
FortiGuard returns a rating that is used to determine if the scanunit deamon should report the file as harmful
or not. Jobs remain suspended in the scanunit deamon until the client receives a response, or the request
times out.

Malware block list: FortiGate can enhance the antivirus database by linking a dynamic external malware block
list to FortiGate. The list is hosted on a web server and is available through HTTP/HTTPS URL defined within
the Security Fabric malware hash list. The list can be in the forms of MD5, SHA1, and SHA256 hashes, and
are written on separate lines on a plaintext file. The malware block list can be defined as a Security Fabric
connector and configured to pull the list dynamically by setting the refresh rate.

FortiGate Security 7.0 Study Guide 481

 Antivirus

DO NOT REPRINT
© FORTINET

FortiGate Security 7.0 Study Guide 482

 Antivirus

DO NOT REPRINT
© FORTINET

Good job! You now understand the basics of antivirus functionality.

Now, you will learn about antivirus scanning modes.

FortiGate Security 7.0 Study Guide 483

 Antivirus

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in all antivirus scanning modes available in FortiOS, you will be able to use the
antivirus profile in an effective manner.

FortiGate Security 7.0 Study Guide 484

 Antivirus

DO NOT REPRINT
© FORTINET

AV can operate in flow-based or proxy-based inspection mode, both of which use the full AV database
(extended or extreme–depending on the CLI settings).

Flow-based inspection mode uses a hybrid of the scanning modes available in proxy-based inspection: the
default scanning mode and the legacy scanning mode. The default mode enhances the scanning of nested
archive files without buffering the container archive file. The legacy mode buffers the full container, and then
scans it.

In flow-based inspection mode, the IPS engine reads the payload of each packet, caches a local copy, and
forwards the packet to the receiver at the same time. Because the file is transmitted simultaneously, flow-
based mode consumes more CPU cycles than proxy-based. However, depending on the FortiGate model,
some operations can be offloaded to SPUs to improve performance. When FortiGate receives the last packet
of the file, it puts the packet on hold and sends a copy to the IPS engine. The IPS engine extracts the payload
and assembles the whole file, and then sends the whole file to the AV engine for scanning.

Two possible scenarios can occur when a virus is detected:

• When a virus is detected on a TCP session where some packets have been already forwarded to the
receiver, FortiGate resets the connection and does not send the last piece of the file. Although the receiver
got most of the file content, the file has been truncated and therefore, can’t be opened. The IPS engine
also caches the URL of the infected file, so that if a second attempt to transmit the file is made, the IPS
engine will then send a block replacement message to the client instead of scanning the file again.
• If the virus is detected at the start of the connection, the IPS engine sends the block replacement message
immediately.

FortiGate Security 7.0 Study Guide 485

 Antivirus

DO NOT REPRINT
© FORTINET

This slide shows an example of the antiVirus profile operating in flow-based inspection mode. By default,
Feature set is set to Flow-based.

FortiGate Security 7.0 Study Guide 486

 Antivirus

DO NOT REPRINT
© FORTINET

As you can see on this slide, the client sends a request and starts receiving packets immediately, but
FortiGate also caches those packets at the same time. When the last packet arrives, FortiGate caches it and
puts it on hold. Then, the IPS engine extracts the payload of the last packet, assembles the whole file, and
sends it to the antivirus engine for scanning. If the antivirus scan does not detect any viruses, and the result
comes back clean, the last cached packet is regenerated and delivered to the client. However, if a virus is
found, the last packet is dropped. Even if the client has received most of the file, the file will be truncated and
the client will be not able to open a truncated file.

Regardless of which mode you use, the scan techniques give similar detection rates. How can you choose
between the scan engines? If performance is your top priority, then flow inspection mode is more appropriate.
If security is your priority, proxy inspection mode—with client comforting disabled—is more appropriate.

FortiGate Security 7.0 Study Guide 487

 Antivirus

DO NOT REPRINT
© FORTINET

Each protocol’s proxy picks up a connection and buffers the entire file first (or waits until the oversize limit is
reached) before scanning. The client must wait for the scanning to finish. If a virus is detected, the block
replacement page is displayed immediately. Because FortiGate has to buffer the whole file and then do the
scanning, it takes a long time to scan. Also, from the client point of view, it has to wait for the scanning to
finish and might terminate the connection due to lack of data.

You can configure client comforting for HTTP and FTP from the config firewall profile-protocol-
options command tree. This allows the proxy to slowly transmit some data until it can complete the buffer
and finish the scan. This prevents a connection or session timeout. No block replacement message appears
in the first attempt, as FortiGate is transmitting the packets to the end client.

Using proxy inspection antivirus allow you to use the stream-based scanning, which is enabled by default.
Stream-based scanning scans large archive files by decompressing the files and then scanning and extracting
them at the same time. This process optimized memory utilization to conserve resources on FortiGate.
Viruses are detected even if they are in the middle or towards the end of these large files.

FortiGate Security 7.0 Study Guide 488

 Antivirus

DO NOT REPRINT
© FORTINET

With a proxy inspection mode scan, the client sends a request and FortiGate starts buffering the whole file,
then sends it to the antivirus engine for scanning. If the file is clean (without any viruses), FortiGate starts
transmitting the file to the end client. If a virus is found, no packets are delivered to the end client and the
proxy sends the replacement block message to the end client.

FortiGate Security 7.0 Study Guide 489

 Antivirus

DO NOT REPRINT
© FORTINET

Applying a proxy-based antivirus profile requires two sections in FortiGate configuration to use non-default
settings:
1. Antivirus profile
2. Firewall policy

Antivirus profile provides the option to select a proxy-based approach as the inspection mode within the
profile. This allows the profile to inspect MAPI and SSH protocols traffic, as well as to sanitize Microsoft
documents and PDF files using the content disarm and reconstruction (CDR) feature.

If the inspection mode on the antivirus profile is set to Proxy-based, it is only available when the firewall
policy inspection mode is set to Proxy-based.

FortiGate Security 7.0 Study Guide 490