Chapter 2. Policy

2.2 Application Profile

Learning Objectives

  • Work with application profile in FortiGate
  • Create a Traffic Shaper
  • Apply Traffic Shaping to the traffic
Scenario: Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic, even if the traffic uses non-standard ports or protocols. We are going to block social networks in the first example and then we are going to set Traffic Shaper for the local PCs in the second example. Finally, we will try to verify the connection speed in both PCs in the local network and compare them together.

Working with Application Profile

  1. Go to Policy & Objects > Firewall Policy section, select LocalToInternet policy you have created in the previous section. Click on Edit.
  2. Go to Security Profile section > Application Control.
    • Create a new Application Control
    • Name: Ban-SocialNetwork
    • In Categories Block Social Media, Video/Audio
    Block Social Media, Video/Audio
    Figure 2.17: Block Social.Media and Video/Audio

    For Application and Filter Overrides. Because a filter override is configured to block applications that use excessive bandwidth, it will block all applications using excessive bandwidth, regardless of categories that allow these applications.

  3. In Application and Filter overrides > Create a new.
    1. Select Application
    2. Action: Block
    3. Application: YouTube
    Blocking YouTube
    Figure 2.18: Block YouTube
  4. In Application and Filter overrides > Create a new.
    1. Select Application
    2. Action: Block
    3. Application: Facebook_Chat
    Blocking Facebook
    Figure 2.19: Block Facebook
  5. OK all and now open the browser and go to Twitter.com or YouTube.com and try to search for a video and you should receive an application block page.
    Application Control Blocked Page
    Figure 2.20: Application Control Blocked page
  6. Go to Log & Report > Application Control and try to find the logs related to the previous step.
    Application Control Logs
    Figure 2.21: Application Control logs

Working with Application Profile: Part 2

main scenario
Figure 2.22: Main scenario
Table 2.3: Devices Configuration
Device Configuration
FortiGate Port 2: DHCP Server (192.168.1.20 – 192.168.1.30)

Port 3: DHCP Client

WebTerm1 DHCP Client
WebTerm3 DHCP Client
  1. Remove the application control you have set for policies in the previous step.
  2. Add Ethernet Switch and WebTerm3 to your GNS3. WebTerm3 should receive an IP address from DHCP.
    Verify DHCP address in WebTerm3
    Figure 2.23: Verify DHCP address in WebTerm3
  3. Set traffic shaping for WebTerm3 to save the bandwidth.
    • Create an Address object for WebTerm3. Go to Addresses > Create a new Address with the following information:
    Table 2.4: Create a new Address for WebTerm3
    Field Value
    Name WebTerm3
    Type Subnet
    Subnet/IP Range 192.168.1.21/32 (Check your IP in WebTerm3)
    Interface any
    WebTerm3 IP Address
    Figure 2.24: WebTerm3 IP address
  4. Go to Policy & Objects > Traffic Shapers and create a new Per-IP traffic shaper. Shared affects upload speed while Per-IP affects download and upload speed.
    Table 2.5: Traffic Shaper Configuration
    Field Value
    Type Per-IP
    Name WebTerm3
    Max Bandwidth 10000
    Max Concurrent Connections 5000
    Set Traffic Shaping
    Figure 2.25: Set traffic shaping
  5. Go to Policy & Objects > Traffic Shaping Policy and create a new Policy.
    Table 2.6: Traffic Shaping Policy Configuration
    Field Value
    Source WebTerm3
    Destination ALL
    Service ALL
    Outgoing interface Port3
    Per-IP Shaper WebTerm3
    Set traffic shaping policy
    Figure 2.26: Set traffic shaping policy
  6. To verify open the browser in the WebTerm3 and go to Fast.com.
    WebTerm3 speed test
    Figure 2.27: WebTerm3 speed test
  7. Now, open the browser in WebTerm1 and go to Fast.com.
    WebTerm1 speed test
    Figure 2.28: WebTerm1 speed test
  8. We are going to allow only twitter Applications in WebTerm3. Other applications should be blocked. To do:
    1. Add a new Policy from port2 to port3.
      Add a new Policy from port2 to port3
      Figure 2.29: Set Firewall Policy
    2. Add and Application Control and Block all applications except Twitter. Then, assign the WebTerm3 profile to Application Control.
      Add and Application Control and Block all applications except twitter. Then, assign the WebTerm3 profile to Application Control.
      Figure 2.30: WebTerm3 Application Control Settings
      Set Application Control
      Figure 2.31: Set Application Control
    3. Then, put the policy you have created above LocalToInternet Policy.
      Priority of Policies
      Figure 2.32: Priority of policies
    4. Verify: in WebTerm1, you should be able to reach any websites.
      Verify the result in Webterm1
      Figure 2.33: Verify the result in WebTerm1

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall Copyright © 2023 by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book