Chapter 2. Policy
2.2 Application Profile
Learning Objectives
- Work with application profile in FortiGate
- Create a Traffic Shaper
- Apply Traffic Shaping to the traffic
Scenario: Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic, even if the traffic uses non-standard ports or protocols. We are going to block social networks in the first example and then we are going to set Traffic Shaper for the local PCs in the second example. Finally, we will try to verify the connection speed in both PCs in the local network and compare them together.
Working with Application Profile
- Go to Policy & Objects > Firewall Policy section, select LocalToInternet policy you have created in the previous section. Click on Edit.
- Go to Security Profile section > Application Control.
- Create a new Application Control
- Name: Ban-SocialNetwork
- In Categories Block Social Media, Video/Audio
For Application and Filter Overrides. Because a filter override is configured to block applications that use excessive bandwidth, it will block all applications using excessive bandwidth, regardless of categories that allow these applications.
- In Application and Filter overrides > Create a new.
- Select Application
- Action: Block
- Application: YouTube
- In Application and Filter overrides > Create a new.
- Select Application
- Action: Block
- Application: Facebook_Chat
- OK all and now open the browser and go to Twitter.com or YouTube.com and try to search for a video and you should receive an application block page.
- Go to Log & Report > Application Control and try to find the logs related to the previous step.
Working with Application Profile: Part 2
| Device | Configuration |
|---|---|
| FortiGate | Port 2: DHCP Server (192.168.1.20 – 192.168.1.30)
Port 3: DHCP Client |
| WebTerm1 | DHCP Client |
| WebTerm3 | DHCP Client |
- Remove the application control you have set for policies in the previous step.
- Add Ethernet Switch and WebTerm3 to your GNS3. WebTerm3 should receive an IP address from DHCP.
- Set traffic shaping for WebTerm3 to save the bandwidth.
- Create an Address object for WebTerm3. Go to Addresses > Create a new Address with the following information:
Table 2.4: Create a new Address for WebTerm3 Field Value Name WebTerm3 Type Subnet Subnet/IP Range 192.168.1.21/32 (Check your IP in WebTerm3) Interface any - Go to Policy & Objects > Traffic Shapers and create a new Per-IP traffic shaper. Shared affects upload speed while Per-IP affects download and upload speed.
Table 2.5: Traffic Shaper Configuration Field Value Type Per-IP Name WebTerm3 Max Bandwidth 10000 Max Concurrent Connections 5000 - Go to Policy & Objects > Traffic Shaping Policy and create a new Policy.
Table 2.6: Traffic Shaping Policy Configuration Field Value Source WebTerm3 Destination ALL Service ALL Outgoing interface Port3 Per-IP Shaper WebTerm3 - To verify open the browser in the WebTerm3 and go to Fast.com.
- Now, open the browser in WebTerm1 and go to Fast.com.
- We are going to allow only twitter Applications in WebTerm3. Other applications should be blocked. To do:
- Add a new Policy from port2 to port3.
- Add and Application Control and Block all applications except Twitter. Then, assign the WebTerm3 profile to Application Control.
- Then, put the policy you have created above LocalToInternet Policy.
- Verify: in WebTerm1, you should be able to reach any websites.
- Add a new Policy from port2 to port3.