Chapter 2. Policy
2.2 Application Profile
Learning Objectives
- Work with application profile in FortiGate
- Create a Traffic Shaper
- Apply Traffic Shaping to the traffic
Scenario: Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic, even if the traffic uses non-standard ports or protocols. We are going to block social networks in the first example and then we are going to set Traffic Shaper for the local PCs in the second example. Finally, we will try to verify the connection speed in both PCs in the local network and compare them together.
Working with Application Profile
- Go to Policy & Objects > Firewall Policy section, select LocalToInternet policy you have created in the previous section. Click on Edit.
- Go to Security Profile section > Application Control.
- Create a new Application Control
- Name: Ban-SocialNetwork
- In Categories Block Social Media, Video/Audio
Figure 2.17: Block Social.Media and Video/Audio For Application and Filter Overrides. Because a filter override is configured to block applications that use excessive bandwidth, it will block all applications using excessive bandwidth, regardless of categories that allow these applications.
- In Application and Filter overrides > Create a new.
- Select Application
- Action: Block
- Application: YouTube
Figure 2.18: Block YouTube - In Application and Filter overrides > Create a new.
- Select Application
- Action: Block
- Application: Facebook_Chat
Figure 2.19: Block Facebook - OK all and now open the browser and go to Twitter.com or YouTube.com and try to search for a video and you should receive an application block page.
Figure 2.20: Application Control Blocked page - Go to Log & Report > Application Control and try to find the logs related to the previous step.
Figure 2.21: Application Control logs
Working with Application Profile: Part 2
| Device | Configuration |
|---|---|
| FortiGate | Port 2: DHCP Server (192.168.1.20 – 192.168.1.30)
Port 3: DHCP Client |
| WebTerm1 | DHCP Client |
| WebTerm3 | DHCP Client |
- Remove the application control you have set for policies in the previous step.
- Add Ethernet Switch and WebTerm3 to your GNS3. WebTerm3 should receive an IP address from DHCP.
Figure 2.23: Verify DHCP address in WebTerm3 - Set traffic shaping for WebTerm3 to save the bandwidth.
- Create an Address object for WebTerm3. Go to Addresses > Create a new Address with the following information:
Table 2.4: Create a new Address for WebTerm3 Field Value Name WebTerm3 Type Subnet Subnet/IP Range 192.168.1.21/32 (Check your IP in WebTerm3) Interface any 
Figure 2.24: WebTerm3 IP address - Go to Policy & Objects > Traffic Shapers and create a new Per-IP traffic shaper. Shared affects upload speed while Per-IP affects download and upload speed.
Table 2.5: Traffic Shaper Configuration Field Value Type Per-IP Name WebTerm3 Max Bandwidth 10000 Max Concurrent Connections 5000 
Figure 2.25: Set traffic shaping - Go to Policy & Objects > Traffic Shaping Policy and create a new Policy.
Table 2.6: Traffic Shaping Policy Configuration Field Value Source WebTerm3 Destination ALL Service ALL Outgoing interface Port3 Per-IP Shaper WebTerm3 
Figure 2.26: Set traffic shaping policy - To verify open the browser in the WebTerm3 and go to Fast.com.
Figure 2.27: WebTerm3 speed test - Now, open the browser in WebTerm1 and go to Fast.com.
Figure 2.28: WebTerm1 speed test - We are going to allow only twitter Applications in WebTerm3. Other applications should be blocked. To do:
- Add a new Policy from port2 to port3.
Figure 2.29: Set Firewall Policy - Add and Application Control and Block all applications except Twitter. Then, assign the WebTerm3 profile to Application Control.
Figure 2.30: WebTerm3 Application Control Settings 
Figure 2.31: Set Application Control - Then, put the policy you have created above LocalToInternet Policy.
Figure 2.32: Priority of policies - Verify: in WebTerm1, you should be able to reach any websites.
Figure 2.33: Verify the result in WebTerm1
- Add a new Policy from port2 to port3.
