{"id":75,"date":"2022-04-02T21:21:00","date_gmt":"2022-04-03T01:21:00","guid":{"rendered":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/chapter\/chapter-2-1-application-profile\/"},"modified":"2025-12-11T14:19:44","modified_gmt":"2025-12-11T19:19:44","slug":"application-profile","status":"publish","type":"chapter","link":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/chapter\/application-profile\/","title":{"raw":"2.2 Application Profile","rendered":"2.2 Application Profile"},"content":{"raw":"
\r\n

Learning Objectives<\/p>\r\n\r\n<\/header>\r\n

\r\n
    \r\n \t
  • Work with application profile in FortiGate<\/li>\r\n \t
  • Create a Traffic Shaper<\/li>\r\n \t
  • Apply Traffic Shaping to the traffic<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n
    Scenario<\/strong>: Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic, even if the traffic uses non-standard ports or protocols. We are going to block social networks in the first example and then we are going to set Traffic Shaper for the local PCs in the second example. Finally, we will try to verify the connection speed in both PCs in the local network and compare them together.<\/div>\r\n

    Working with Application Profile<\/h2>\r\n
      \r\n \t
    1. Go to Policy & Objects<\/strong> > Firewall Policy<\/strong> section, select LocalToInternet<\/strong> policy you have created in the previous section. Click on Edit.<\/li>\r\n \t
    2. Go to Security Profile section<\/strong> > Application Control<\/strong>.\r\n
        \r\n \t
      • Create a new Application Control<\/li>\r\n \t
      • Name: Ban-SocialNetwork<\/strong><\/li>\r\n \t
      • In Categories Block<\/strong> Social Media, Video\/Audio<\/li>\r\n<\/ul>\r\n[caption id=\"attachment_58\" align=\"aligncenter\" width=\"500\"]\"Block Figure 2.17: Block Social.Media and Video\/Audio[\/caption]\r\n\r\nFor Application and Filter Overrides. Because a filter override is configured to block applications that use excessive bandwidth, it will block all applications using excessive bandwidth, regardless of categories that allow these applications.<\/li>\r\n \t
      • In Application and Filter overrides<\/strong> > Create a new<\/strong>.\r\n
          \r\n \t
        1. Select Application<\/strong><\/li>\r\n \t
        2. Action: Block<\/strong><\/li>\r\n \t
        3. Application: YouTube<\/strong><\/li>\r\n<\/ol>\r\n[caption id=\"attachment_59\" align=\"aligncenter\" width=\"500\"]\"Blocking Figure 2.18: Block YouTube[\/caption]<\/li>\r\n \t
        4. In Application and Filter overrides<\/strong> > Create a new<\/strong>.\r\n
            \r\n \t
          1. Select Application<\/strong><\/li>\r\n \t
          2. Action: Block<\/strong><\/li>\r\n \t
          3. Application: Facebook_Chat<\/strong><\/li>\r\n<\/ol>\r\n[caption id=\"attachment_60\" align=\"aligncenter\" width=\"500\"]\"Blocking Figure 2.19: Block Facebook[\/caption]<\/li>\r\n \t
          4. OK<\/strong> all and now open the browser and go to Twitter.com<\/strong> or YouTube.com<\/strong> and try to search for a video and you should receive an application block page.\r\n\r\n[caption id=\"attachment_61\" align=\"aligncenter\" width=\"500\"]\"Application Figure 2.20: Application Control Blocked page[\/caption]<\/li>\r\n \t
          5. Go to Log & Report<\/strong> > Application Control<\/strong> and try to find the logs related to the previous step.\r\n\r\n[caption id=\"attachment_62\" align=\"alignnone\" width=\"1194\"]\"Application Figure 2.21: Application Control logs[\/caption]<\/li>\r\n<\/ol>\r\n

            Part 2:Working with Application Profile<\/h2>\r\n[caption id=\"attachment_74\" align=\"aligncenter\" width=\"1090\"]\"main Figure 2.22: Main scenario[\/caption]\r\n\r\n
            \r\n\r\n\r\n\r\n\r\n\r\n
            Table 2.3: Devices Configuration<\/caption>\r\n
            Device<\/th>\r\nConfiguration<\/th>\r\n<\/tr>\r\n
            FortiGate<\/td>\r\nPort 2: 192.168.1.1 , DHCP Server (192.168.1.20 - 192.168.1.30)<\/span>\r\n\r\nPort 3: DHCP Client<\/td>\r\n<\/tr>\r\n
            WebTerm1<\/td>\r\nDHCP Client<\/td>\r\n<\/tr>\r\n
            WebTerm3<\/td>\r\nDHCP Client<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n
              \r\n \t
            1. Remove the application control you have set for policies in the previous step.<\/li>\r\n \t
            2. Add Ethernet Switch and WebTerm3 <\/strong>to your GNS3. WebTerm3 should receive an IP address from DHCP.\r\n\r\n[caption id=\"attachment_74\" align=\"aligncenter\" width=\"1281\"]\"Verify Figure 2.23: Verify DHCP address in WebTerm3[\/caption]<\/li>\r\n \t
            3. Set traffic shaping for WebTerm3 to save the bandwidth.\r\n
                \r\n \t
              • Create an Address object for WebTerm3. <\/em>Go to Addresses<\/strong> > Create a new Address<\/strong> with the following information:<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n\r\n\r\n\r\n
                Table 2.4: Create a new Address for WebTerm3<\/caption>\r\n
                Field<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
                Name<\/td>\r\nWebTerm3<\/td>\r\n<\/tr>\r\n
                Type<\/td>\r\nSubnet<\/td>\r\n<\/tr>\r\n
                Subnet\/IP Range<\/td>\r\n192.168.1.21\/32 (Check your IP in WebTerm3)<\/td>\r\n<\/tr>\r\n
                Interface<\/td>\r\nany<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_65\" align=\"aligncenter\" width=\"450\"]\"WebTerm3 Figure 2.24: WebTerm3 IP address[\/caption]<\/li>\r\n \t
              • Go to Policy & Objects<\/strong> > Traffic Shapers<\/strong> and create a new Per-IP traffic shaper. Shared affects upload speed while Per-IP affects download and upload speed.\r\n\r\n\r\n\r\n\r\n\r\n\r\n
                Table 2.5: Traffic Shaper Configuration<\/caption>\r\n
                Field<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
                Type<\/td>\r\nPer-IP<\/td>\r\n<\/tr>\r\n
                Name<\/td>\r\nWebTerm3<\/td>\r\n<\/tr>\r\n
                Max Bandwidth<\/td>\r\n10000<\/td>\r\n<\/tr>\r\n
                Max Concurrent Connections<\/td>\r\n5000<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_66\" align=\"aligncenter\" width=\"917\"]\"Set Figure 2.25: Set traffic shaping[\/caption]<\/li>\r\n \t
              • Go to Policy & Objects > Traffic Shaping Policy <\/strong>and create a new Policy.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
                Table 2.6: Traffic Shaping Policy Configuration<\/caption>\r\n
                Field<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
                Source<\/td>\r\nWebTerm3<\/td>\r\n<\/tr>\r\n
                Destination<\/td>\r\nALL<\/td>\r\n<\/tr>\r\n
                Service<\/td>\r\nALL<\/td>\r\n<\/tr>\r\n
                Outgoing interface<\/td>\r\nPort3<\/td>\r\n<\/tr>\r\n
                Per-IP Shaper<\/td>\r\nWebTerm3<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_67\" align=\"aligncenter\" width=\"500\"]\"Set Figure 2.26: Set traffic shaping policy[\/caption]<\/li>\r\n \t
              • To verify open the browser in the WebTerm3 and go to Fast.com<\/strong>.\r\n\r\n[caption id=\"attachment_68\" align=\"aligncenter\" width=\"350\"]\"WebTerm3 Figure 2.27: WebTerm3 speed test[\/caption]<\/li>\r\n \t
              • Now, open the browser in WebTerm1 and go to Fast.com.<\/strong>\r\n\r\n[caption id=\"\" align=\"aligncenter\" width=\"400\"]\"WebTerm1 Figure 2.28: WebTerm1 speed test[\/caption]<\/li>\r\n \t
              • We are going to allow only twitter Applications in WebTerm3. Other applications should be blocked. To do:\r\n
                  \r\n \t
                1. Add a new Policy from port2 to port3.\r\n\r\n[caption id=\"attachment_74\" align=\"aligncenter\" width=\"1162\"]\"Add Figure 2.29: Set Firewall Policy[\/caption]<\/li>\r\n \t
                2. Add and Application Control and Block all applications except Twitter. Then, assign the WebTerm3 profile to Application Control.\r\n\r\n[caption id=\"attachment_1111\" align=\"aligncenter\" width=\"696\"]\"\" Figure 2.30: WebTerm3 Application Control Settings<\/span>[\/caption]\r\n\r\n[caption id=\"attachment_74\" align=\"aligncenter\" width=\"588\"]\"Set Figure 2.31: Set Application Control[\/caption]<\/li>\r\n \t
                3. Then, put the policy you have created above LocalToInternet Policy.\r\n\r\n[caption id=\"attachment_74\" align=\"aligncenter\" width=\"982\"]\"Priority Figure 2.32: Priority of policies[\/caption]<\/li>\r\n \t
                4. Verify in WebTerm1, you should be able to reach only twitter<\/span>.\r\n\r\n[caption id=\"attachment_1112\" align=\"aligncenter\" width=\"732\"]\"\" Figure 2.33: verify twitter.com or x.com is reachable.[\/caption]<\/li>\r\n<\/ol>\r\n<\/li>\r\n<\/ol>","rendered":"
                  \n
                  \n

                  Learning Objectives<\/p>\n<\/header>\n

                  \n
                    \n
                  • Work with application profile in FortiGate<\/li>\n
                  • Create a Traffic Shaper<\/li>\n
                  • Apply Traffic Shaping to the traffic<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
                    Scenario<\/strong>: Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic, even if the traffic uses non-standard ports or protocols. We are going to block social networks in the first example and then we are going to set Traffic Shaper for the local PCs in the second example. Finally, we will try to verify the connection speed in both PCs in the local network and compare them together.<\/div>\n

                    Working with Application Profile<\/h2>\n
                      \n
                    1. Go to Policy & Objects<\/strong> > Firewall Policy<\/strong> section, select LocalToInternet<\/strong> policy you have created in the previous section. Click on Edit.<\/li>\n
                    2. Go to Security Profile section<\/strong> > Application Control<\/strong>.\n
                        \n
                      • Create a new Application Control<\/li>\n
                      • Name: Ban-SocialNetwork<\/strong><\/li>\n
                      • In Categories Block<\/strong> Social Media, Video\/Audio<\/li>\n<\/ul>\n
                        \"Block
                        Figure 2.17: Block Social.Media and Video\/Audio<\/figcaption><\/figure>\n

                        For Application and Filter Overrides. Because a filter override is configured to block applications that use excessive bandwidth, it will block all applications using excessive bandwidth, regardless of categories that allow these applications.<\/li>\n

                      • In Application and Filter overrides<\/strong> > Create a new<\/strong>.\n
                          \n
                        1. Select Application<\/strong><\/li>\n
                        2. Action: Block<\/strong><\/li>\n
                        3. Application: YouTube<\/strong><\/li>\n<\/ol>\n
                          \"Blocking
                          Figure 2.18: Block YouTube<\/figcaption><\/figure>\n<\/li>\n
                        4. In Application and Filter overrides<\/strong> > Create a new<\/strong>.\n
                            \n
                          1. Select Application<\/strong><\/li>\n
                          2. Action: Block<\/strong><\/li>\n
                          3. Application: Facebook_Chat<\/strong><\/li>\n<\/ol>\n
                            \"Blocking
                            Figure 2.19: Block Facebook<\/figcaption><\/figure>\n<\/li>\n
                          4. OK<\/strong> all and now open the browser and go to Twitter.com<\/strong> or YouTube.com<\/strong> and try to search for a video and you should receive an application block page.
                            \n
                            \"Application
                            Figure 2.20: Application Control Blocked page<\/figcaption><\/figure>\n<\/li>\n
                          5. Go to Log & Report<\/strong> > Application Control<\/strong> and try to find the logs related to the previous step.
                            \n
                            \"Application
                            Figure 2.21: Application Control logs<\/figcaption><\/figure>\n<\/li>\n<\/ol>\n

                            Part 2:Working with Application Profile<\/h2>\n
                            \"main
                            Figure 2.22: Main scenario<\/figcaption><\/figure>\n
                            \n\n\n\n\n\n\n
                            Table 2.3: Devices Configuration<\/caption>\n
                            Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
                            FortiGate<\/td>\nPort 2: 192.168.1.1 , DHCP Server (192.168.1.20 – 192.168.1.30)<\/span><\/p>\n

                            Port 3: DHCP Client<\/td>\n<\/tr>\n

                            WebTerm1<\/td>\nDHCP Client<\/td>\n<\/tr>\n
                            WebTerm3<\/td>\nDHCP Client<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
                              \n
                            1. Remove the application control you have set for policies in the previous step.<\/li>\n
                            2. Add Ethernet Switch and WebTerm3 <\/strong>to your GNS3. WebTerm3 should receive an IP address from DHCP.
                              \n
                              \"Verify
                              Figure 2.23: Verify DHCP address in WebTerm3<\/figcaption><\/figure>\n<\/li>\n
                            3. Set traffic shaping for WebTerm3 to save the bandwidth.\n
                                \n
                              • Create an Address object for WebTerm3. <\/em>Go to Addresses<\/strong> > Create a new Address<\/strong> with the following information:<\/li>\n<\/ul>\n\n\n\n\n\n\n\n
                                Table 2.4: Create a new Address for WebTerm3<\/caption>\n
                                Field<\/th>\nValue<\/th>\n<\/tr>\n
                                Name<\/td>\nWebTerm3<\/td>\n<\/tr>\n
                                Type<\/td>\nSubnet<\/td>\n<\/tr>\n
                                Subnet\/IP Range<\/td>\n192.168.1.21\/32 (Check your IP in WebTerm3)<\/td>\n<\/tr>\n
                                Interface<\/td>\nany<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
                                \"WebTerm3
                                Figure 2.24: WebTerm3 IP address<\/figcaption><\/figure>\n<\/li>\n
                              • Go to Policy & Objects<\/strong> > Traffic Shapers<\/strong> and create a new Per-IP traffic shaper. Shared affects upload speed while Per-IP affects download and upload speed.
                                \n\n\n\n\n\n\n\n
                                Table 2.5: Traffic Shaper Configuration<\/caption>\n
                                Field<\/th>\nValue<\/th>\n<\/tr>\n
                                Type<\/td>\nPer-IP<\/td>\n<\/tr>\n
                                Name<\/td>\nWebTerm3<\/td>\n<\/tr>\n
                                Max Bandwidth<\/td>\n10000<\/td>\n<\/tr>\n
                                Max Concurrent Connections<\/td>\n5000<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
                                \"Set
                                Figure 2.25: Set traffic shaping<\/figcaption><\/figure>\n<\/li>\n
                              • Go to Policy & Objects > Traffic Shaping Policy <\/strong>and create a new Policy.
                                \n\n\n\n\n\n\n\n\n
                                Table 2.6: Traffic Shaping Policy Configuration<\/caption>\n
                                Field<\/th>\nValue<\/th>\n<\/tr>\n
                                Source<\/td>\nWebTerm3<\/td>\n<\/tr>\n
                                Destination<\/td>\nALL<\/td>\n<\/tr>\n
                                Service<\/td>\nALL<\/td>\n<\/tr>\n
                                Outgoing interface<\/td>\nPort3<\/td>\n<\/tr>\n
                                Per-IP Shaper<\/td>\nWebTerm3<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
                                \"Set
                                Figure 2.26: Set traffic shaping policy<\/figcaption><\/figure>\n<\/li>\n
                              • To verify open the browser in the WebTerm3 and go to Fast.com<\/strong>.
                                \n
                                \"WebTerm3
                                Figure 2.27: WebTerm3 speed test<\/figcaption><\/figure>\n<\/li>\n
                              • Now, open the browser in WebTerm1 and go to Fast.com.<\/strong>
                                \n
                                \"WebTerm1
                                Figure 2.28: WebTerm1 speed test<\/figcaption><\/figure>\n<\/li>\n
                              • We are going to allow only twitter Applications in WebTerm3. Other applications should be blocked. To do:\n
                                  \n
                                1. Add a new Policy from port2 to port3.
                                  \n
                                  \"Add
                                  Figure 2.29: Set Firewall Policy<\/figcaption><\/figure>\n<\/li>\n
                                2. Add and Application Control and Block all applications except Twitter. Then, assign the WebTerm3 profile to Application Control.
                                  \n
                                  \"\"
                                  Figure 2.30: WebTerm3 Application Control Settings<\/span><\/figcaption><\/figure>\n
                                  \"Set
                                  Figure 2.31: Set Application Control<\/figcaption><\/figure>\n<\/li>\n
                                3. Then, put the policy you have created above LocalToInternet Policy.
                                  \n
                                  \"Priority
                                  Figure 2.32: Priority of policies<\/figcaption><\/figure>\n<\/li>\n
                                4. Verify in WebTerm1, you should be able to reach only twitter<\/span>.
                                  \n
                                  \"\"
                                  Figure 2.33: verify twitter.com or x.com is reachable.<\/figcaption><\/figure>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n","protected":false},"author":1562,"menu_order":10,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-75","chapter","type-chapter","status-publish","hentry"],"part":39,"_links":{"self":[{"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/75","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/wp\/v2\/users\/1562"}],"version-history":[{"count":25,"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/75\/revisions"}],"predecessor-version":[{"id":1149,"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/75\/revisions\/1149"}],"part":[{"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/parts\/39"}],"metadata":[{"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapters\/75\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/wp\/v2\/media?parent=75"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/pressbooks\/v2\/chapter-type?post=75"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/wp\/v2\/contributor?post=75"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/fortigatefirewall\/wp-json\/wp\/v2\/license?post=75"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}