FortiGate: Application Control (FortiOS 6.4.0)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today we're going to talk about application control apparently half y'all don't get it so might as well show you stay tuned and learn how to put the power of your layer 7 firewall to work for you alright guys so I've had a few people submit questions asking about application control on the firewall if you weren't aware a FortiGate is a layer 7 device and that's layer 7 on the OSI model so you have like you know data Network transport session presentation application etc layer 7 is the application layer that's how you actually see the applications that are sending the traffic for instance just because it's you know port 3389 doesn't necessarily mean it's already P traffic but you can find out if you have your firewall configured to use or to view application specific things within the packet so in this video tonight we're going to actually discuss the two different versions of application control that exists on a FortiGate as well as how to how to implement them right so for those of you that don't know a FortiGate comes with application control built in and what that does is depending on how you deploy it you're able to view the traffic that's going across your network and then you know do security functions on that traffic so what we're looking at here is if you're allowing traffic out to the Internet but you want to block specific applications that may use similar ports as other applications etc you have that capability you're also able to do traffic shaping on this level much much more the FortiGate has two different operation modes UTM profile driven and in gfw policy driven with the UTM configuration you're looking at a situation where you have your standard firewall policy so source destination service schedule etc allow you know in the action and then you apply an application control to that so giving specific people specific user access for certain applications can get a little tricky if you're not careful with your source and destination IP is in this regard so companies like Palo Alto and now Fortinet usually deployed and something called policy mode which means the application is actually part of the policy to allow the traffic now what this means is you can instead of the funding a service maybe you don't define 53:4 DNS maybe you set the application of VMs and it doesn't matter what port the firewall sees that traffic going out if it's DNS traffic and it's a part of that policy to allow it it'll be allowed to go out so there's multiple concepts here right UTM you bolted on to a traditional-style you bolt a profile on to a traditional-style firewall arrangement and then policy mode you make the application part of the determining factor as to whether or not the traffic can even pass and we're going to do an example setup of each one and I'm going to explain what's taking place in each one so we'll dive in now and then from there you guys can pose questions in the comments and I can elaborate if necessary so let's dive in and see what we need to do so this right here is our 40 Wi-Fi no 61 II it's running sixth up 4.0 as it has been for quite a while and right now the firewall is in UTM profile mode so what that means is we have standard firewall policy which hasn't been created on this one but basically is gonna create a dummy policy here right inside outside and we'll just make it all all because we want to apply this this application filter to all traffic right now net application control where's our base and base as you guys know I like to take the default sensors that come with the device and clone it and make it a base profile with slight tweaks I go over that in my basic configuration video which I will actually link in the in the description below but I already have that created so we're going to go in and edit it so I can elaborate on what's taking place here but this is the application control portion of a profile based approach to application control so you have your policy right let's just say you had a very simple environment and you wanted to block YouTube on that environment so you have all of your inside traffic going to outside now you don't know YouTube's content delivery network ip's it's always changing it's always scaling shrinking based on load etc so you just use your destination is all you don't know necessarily what ports are using chances are they're using 443 but that's not always the case so you dive in and you set your service to all as well you want to allow web traffic and normal traffic the only thing you're really concerned about is blocking the applications you don't wish to traverse your network and that's where the actual application control kids that because your policy's going out and it's going to perform that at that level now obviously if you have a firewall in transparent mode or where your FortiGate is not actually doing your your edge net translations you would leave that off but for the sake of this we're we're looking at it like it's a simple environment so that's enabled we have application control enabled with our base policy that's going to be the policy that's our configuration based on and then SSL inspection is set a certain inspection if you have any real in your Lu Tien profile plight it's usually going to require you to have some level inspection so we'll click Next so here's our base policy all of our inside traffic to all of our destination traffic using any service all I want to do is apply our base application sensor now just because this has a sensor on it means that the policy any traffic that hits that it's going to at least look at the application data that it's able to pull so on the left if we go to security profiles application control and our base profiles right here so we can click Edit you guys can see that it's it's a copy of just a monitor all sensor it's basically just looking at traffic and normally my base sensors are configured just like this because my only goal is to get visibility into what's on the network and then from there I build out more secure profiles to meet my needs so for the sake of this let's go back I actually will just added this one we want to block YouTube right so we go to video there's a couple different ways you can do it you can block it based on the category now YouTube is going to be under video and audio but it's not our intention to block all video and audio we just have some people that like to goof off on YouTube all day so what we would actually do is instead of blocking it here we can come down here to application and filter overrides and click create new and our action is going to be block and we're searching based on application name and then we just type in YouTube click search and we see all of the various YouTube applications that are currently here it even shows the YouTube downloader that people use to download videos from YouTube and since we want to lock everything related to YouTube we just select all of those take note though you can only block YouTube upload if you wanted or maybe just searching the videos so you can block portions of the site so they can still search and find things maybe email themselves a link later but we want to block YouTube as a whole so I select all of them and then I right-click and go to add selected or I can click Add selected here or if you wanted to do all let me just add all results right so it ended all of these and are not action this blog so we click OK so as you can see here this field is now populated with all the YouTube items and it's set to block so if we click apply any traffic that hits that policy we have configured it's gonna block YouTube if it sees that its YouTube traffic now one thing to take into consideration is a lot of traffic is SSL encrypted and while the FortiGate can do a pretty decent job with certificate inspection of determining whether or not it's YouTube in general the more granular functions like blocking uploading and stuff like that may need a deep packet inspection which is going to require a certificate to be installed on the FortiGate and usually it's recommended in 80 environments that you can take advantage of of the trust of the certificates etc so but we have this done and now any traffic that's going out on this policy YouTube will be blocked the catch on this is if you wanted to get granular with who sees what you would have your most stringent policy at the bottom and then you would put exceptions above it saying maybe if you have 14 that single sign-on let suzi get through on this policy that does have our base application maybe it has an executive application control sensor on it that is more lenient because she's the boss she can get on YouTube you know things like that which is frustrating because there's a lot of room for errors you don't play your exemptions right right all it takes is one miss click with an engineer and someone could be able to access things that they maybe shouldn't in depending on the level of security you have to do the other option is something called policy based now you can change the mode of your fortigate by going the system settings and policy based and click apply now there's certain things that you need to remember when you're in policy based mode it uses central source netting which means you no longer configure your net on the actual policy you configure your net within the source in that table which is right here a central source network meaning if you want maybe you have five different IPS on your outside interface that you're able to use you can we'll talk about source net later that's not relevant for this but as you see here you got applications and once it loads you can see all the different application signatures that are built into the FortiGate we have over 2300 of them but our policy can be a lot more granular now so if I wanted to have an executive YouTube I can say from inside the outside all traffic to all four application and then what we'll do is we'll do okay we're going to accept it so we have this set to this is for executives rights maybe we have a user that's negative maybe Mike is an executive so as long as I say user just named Mike we can allow YouTube we connected we let it go we have a log security event we're having it listen to the service which by the way you can define it it's like do I only won't care if YouTube's going over 443 or do I just let's listen to whatever that applications default is because there are parameters within the FortiGate that actually shows you for instance you can see here it uses TCP SSL HTTP so click OK we have our executive YouTube policy now in most environments that aren't running LDAP or for Dannette single sign-on you would just change your source address to be whatever the source IP address of that user is you know set them up with a DHCP reservation something along those lines and then you create a new policy and say inside - outside all all because this is everybody else right application [Music] you - we select all the YouTube things and we want to deny this traffic so everyone else gets blocked on YouTube now remember a firewall is a denied by default a piece of equipment out of the box meaning if you don't create a policy to allow the traffic it won't work so right now according to this policy set executive users can only go to YouTube everyone else can't go to anything so then you have your catch-all at the bottom to allow you know your normal traffic we don't care about application on this one except okay and that basically lets you mix the the best of both worlds right so you know my executive people can get to you - no changes do it let's do this just for cables our executive user can go out to YouTube that's loud everyone else is blocked to YouTube and of course I like to make mine my name's is as granular as possible it saves you from getting in a world of trouble later so if you're reading this to help the bottom left to right executives can get to YouTube everyone else can't get the YouTube and then after that we have our policy at the bottom that allows normal web traffic and things like that and you can just keep expanding upon this making it more and more granular so it's really really powerful it's it's kind of concerning that most people buy these wonderful devices whether it's you know Palo Alto or a fortinet FortiGate or hell even the newer crappy Cisco devices that have some level of layer 7 connectivity the fact that people are buying them and not putting this to work for them is huge because this is a major security threat maybe you only want to allow certain applications to cross your network maybe you want to block bit torrent maybe you want to block YouTube or snapchat or things like that this is the ultimate way to do it and of course whether or not you want to use UTM profile driven or if you want to use the application policy style it's it's up to you I actually learned layer 7 firewalls on a palo so the in gfw policy style works a little bit better for me but you know the world the world is open to you whenever it comes to security if you have layer 7 capabilities enabled on your device and you're actually putting them to work so if you have any questions please don't hesitate to put them in the comments below I will be keeping an eye out paying attention we will have a video talking about a central man table talking about sourcing that destination that first wife he is etc so we can go from there if you enjoyed this video if it's helped you please do me a solid hit the like button subscribe to the channel and hit the notification thing find out whenever new videos come out and hopefully I'll continue providing you the guidance and the help that you need to make your firewall deployment much more effective and easy for you the last thing you want to do is waste your time you know burnin cycles running in circles trying to figure something out and that's what I'm here for so until next time guys have a wonderful night and enjoy your application control you

Info

Channel: Fortinet Guru

Views: 25,515

Rating: undefined out of 5

Keywords:

Id: IkDlXQfkCAk

Channel Id: undefined

Length: 18min 15sec (1095 seconds)

Published: Tue May 05 2020