Chapter 2 – Policy

2-2 Application Profile

Learning Objectives

  • Working with application profile in FortiGate
  • Create a Traffic Shaper
  • Apply Traffic Shaping to the traffic


Scenario: Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic, even if the traffic uses non-standard ports or protocols. We are going to block social networks in the first example and then we are going to set Traffic Shaper for the local PCs in the second example. Finally, we will try to verify the connection speed in both PCs in the local network and compare them together.

Application Profile

Working with Application Profile

1- Go to Policy & Objects > Firewall Policy section, select LocalToInternet policy you have created in the previous section. Click on Edit

2- Go to Security Profile section> Application Control

    • Create a new Application Control
    • Name: Ban-SocialNetwork
    • In Categories Block Social Media, Video/Audio
Block Social Media, Video/Audio
Figure 2-17: Blocking Social Network and Video/Audio

For Application and Filter Overrides. Because a filter override is configured to block applications that use excessive bandwidth, it will block all applications using excessive bandwidth, regardless of categories that allow these applications.

3- In Application and Filter overrides> Create a new

    1. Select Application
    2. Action: Block
    3. Application: Youtube
Blocking YouTube
Figure 2-18: Blocking YouTube

4- In Application and Filter overrides> Create a new

    1. Select Application
    2. Action: Block
    3. Application: Facebook_Chat
Blocking Facebook
Figure 2-19: Blocking Facebook

5- Ok all and now open the browser and go to or and try to search for a video and you should receive an application block page.

Application Control Blocked Page
Figure 2-20: Application Control Blocked Page

6- Go to Log & Report> Application Control and try to find the logs related to the previous step.

Application Control Logs
Figure 2-21: Application Control Logs

Working with Application Profile – Part 2

main scenario
Figure 2-22: main scenario
Table 2-2: Devices Configuration
Device Configuration
FortiGate Port 2: DHCP Server ( –

Port 3: DHCP Client

WebTerm1 DHCP Client
WebTerm3 DHCP Client


1- Remove the application control you have set for policies in the previous step.

2- Add Ethernet Switch and WebTerm3 to your GNS3. WebTerm3 should receive an IP address from DHCP.

Verify DHCP address in WebTerm3
Figure 2-23: Verify DHCP address in WebTerm3

3- Set traffic shaping for WebTerm3  to save the bandwidth.

    • Create an Address object for WebTerm3. Go to Addresses> Create a new Address with the following information
Table 2-3: Create a new Address for WebTerm3
Name WebTerm3
Type Subnet
Subnet/IP Range (Check your IP in WebTerm3)
Interface any
WebTerm3 IP Address
Figure 2-24: WebTerm3 IP Address

4- Go to Policy & Objects > Traffic Shapers and create a new Per-IP traffic shaper. Shared affects upload speed while Per-IP affects download and upload speed.

Table 2-4: Traffic Shaper Configuration
Type Per-IP
Name WebTerm3
Max Bandwidth 10000
Max Concurrent Connections 5000
Set Traffic Shaping
Figure 2-25: Set Traffic Shaping

5- Go to Policy & Objects > Traffic Shaping Policy and create a new Policy.

Table 2-5: Traffic Shaping Policy Configuration
Source WebTerm3
Destination ALL
Service ALL
Outgoing interface Port3
Per-IP Shaper WebTerm3
Set traffic shaping policy
Figure 2-26: Set traffic shaping policy

6- To verify open the browser in the WebTerm3 and go to

WebTerm3 speed test
Figure 2-27: WebTerm3 speed test

7- Now, open the browser in WebTerm1 and go to

WebTerm1 speed test
Figure 2-28: WebTerm1 speed test

8- We are going to allow only twitter Applications in WebTerm3. Other applications should be blocked. To do:

  1. Add a new Policy from port2 to port3
Add a new Policy from port2 to port3
Figure 2-29: Set Firewall Policy

2. Add and Application Control and Block all applications except Twitter. Then, assign the WebTerm3 profile to Application Control.

Add and Application Control and Block all applications except twitter. Then, assign the WebTerm3 profile to Application Control.
Figure 2-30: WebTerm3 Application Control Settings
Set Application Control
Figure 2-31: Set Application Control

3. Then, put the policy you have created above LocalToInternet Policy.

Priority of Policies
Figure 2-32: Priority of policies
  • Verify-in WebTerm1, you should be able to reach any websites.
Verify the result in Webterm1
Figure 2-33: Verify the result in WebTerm1


Share This Book