In this recipe, you will use Application Control to monitor application traffic on your network and then selectively block unwanted traffic. Peer-to-peer (P2P) traffic is blocked in this example.
1. Enabling Application Control and Multiple Security Profiles
Go to System > Feature Select and ensure that Application Control and Multiple Security Profiles are enabled.
2. Using the default Application Control profile to monitor network traffic
The default Application Control profile is set to monitor all applications except for Unknown pplications. You will use this profile to monitor traffic and identify any applications that should be blocked.
Go to Security Profiles > Application Control and view the default profile.
Confirm that all Categories are set to Monitor with the exception of Unknown Applications.
3. Editing the security policy for outgoing traffic
Go to Policy & Objects > IPv4 Policy and edit the policy that allows connections from the internal network to the Internet.
Under Security Profiles, turn on Application Control and use the default profile.
To inspect all traffic, SSH inspection must be set to deep-inspection profile. Using the deep-inspection profile may cause certificate errors. See Preventing certificate warnings for more information.
4. Reviewing the FortiView dashboards
Go to FortiView > Applications and select the now view to display network traffic flowing through your FortiGate listed by application.
You can see P2P traffic occurring in your network.
Double-click any application to view drilldown information, including traffic sources, traffic destinations, and information about individual sessions.
5. Creating an application profile to block P2P applications
In step 4, Application Control detected traffic from BitTorrent, a P2P downloading application. In this step, you create an Application Control profile to block all P2P applications.
Go to Security Profiles > Application Control and create a new profile.
Set the P2P category to Block.
6. Adding the blocking profile to a security policy
Go to Policy & Objects > IPv4 Policy and edit the policy that allows connections from the internal network to the Internet.
Set Application Control to use the new profile.
7. Results
Attempt to visit the BitTorrent site. A FortiGuard warning message will appear, stating that the application was blocked. Application Control uses flow-based inspection; if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the warning message.
Test the P2P blocking by attempting to use the BitTorrent application. Traffic blocked.
To view information about the blocked traffic, go to FortiView > Applications, select the 5 minutes view, and filter the traffic by Security Action: Blocked.
For further reading, check out Application control in the FortiOS 5.4 Handbook.
