Application Control

DO NOT REPRINT
© FORTINET

If an application is necessary, but you must prevent it from impacting bandwidth then, instead of blocking it
entirely, you can apply a rate limit to the application. For example, you can rate limit applications used for
storage or backup leaving enough bandwidth for more sensitive streaming applications, such as video
conferencing.

Applying traffic shaping to applications is very useful when you’re trying to limit traffic that uses the same TCP
or UDP port numbers as mission-critical applications. Some high-traffic web sites, such as YouTube, can be
throttled in this way.

Examine the details of how throttling works. Not all URL requests to www.youtube.com are for video. Your
browser makes several HTTPS requests for:
• The web page itself
• Images
• Scripts and style sheets
• Video

All of these items have separate URLs. If you analyze a site like YouTube, the web pages themselves don’t
use much bandwidth; it is the video content that uses the most bandwidth. But, since all content is transported
using the same protocol (HTTPS), and the URLs contain dynamically generated alphanumeric strings,
traditional firewall policies can't block or throttle the traffic by port number or protocol because they are the
same. Using application control, you can rate limit only videos. Doing this prevents users from saturating your
network bandwidth, while still allowing them to access the other content on the site, such as for comments or
sharing links.

FortiGate Security 7.2 Study Guide 321

 Application Control

DO NOT REPRINT
© FORTINET

You can limit the bandwidth of an application category, application group, or specific application by configuring
a traffic shaping policy. You can also apply traffic shaping to FortiGuard web filter categories and to the
application group.

You must ensure that the matching criteria aligns with the firewall policy or policies to which you want to apply
shaping. It does not have to match outright. For example, if the source in the firewall policy is set to all
(0.0.0.0/0.0.0.0), you can set the source in the traffic shaping policy to any source that is included in all,
for example, LOCAL_SUBNET (10.0.1.0/24).

If the traffic shaping policy is not visible in the GUI, you can enable it on the Feature Visibility page.

There are two types of shapers that you can configure on the Traffic Shaping Policy page, and you can
apply them in the traffic shaping policy:
• Shared shaper: applies a total bandwidth to all traffic using that shaper. The scope can be per policy or for
all policies referencing that shaper.
• Per-IP shaper: applies traffic shaping to all source IP addresses in the security policy. Bandwidth is
equally divided among the group.

Note that the outgoing interface is usually the egress interface (WAN). The Shared shaper setting is applied
to ingress-to-egress traffic, which is useful for restricting bandwidth for uploading. The Reverse Shaper
setting is also a shared shaper, but it is applied to traffic in the reverse direction (egress-to-ingress traffic).
This is useful for restricting bandwidth for downloading or streaming, because it limits the bandwidth from the
external interface to the internal interface.

FortiGate Security 7.2 Study Guide 322

 Application Control

DO NOT REPRINT
© FORTINET

FortiGate Security 7.2 Study Guide 323

 Application Control

DO NOT REPRINT
© FORTINET

Good job! You now understand application control configuration.

Now, you will learn about logging and monitoring application control events.

FortiGate Security 7.2 Study Guide 324

 Application Control

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in application control configuration, including reviewing application control logs,
you will be able to effectively use and monitor application control events.

FortiGate Security 7.2 Study Guide 325

 Application Control

DO NOT REPRINT
© FORTINET

Regardless of which operation mode application control is configured in, you must enable logging on the
security or firewall policy. When you enable the logging of security events or all sessions on a security or
firewall policy, application control events are also logged. You must apply application control to the security or
firewall policy to enable application control event logging.

When the Deny action is selected on a security or firewall policy, you must enable the Log Violations option
to generate application control events for blocked traffic.

FortiGate Security 7.2 Study Guide 326

 Application Control

DO NOT REPRINT
© FORTINET

FortiGate logs all application control events on the Security Events pane on the Log & Report page. You
can view the logs by clicking on Application Control.

In the example shown on this slide, the default application control profile blocks access to Dailymotion. You
can view this information in the Log Details section, as well as information about the log source, destination,
application, and action.

Note that application control generates this log message using a profile-based configuration. The log message
for an NGFW policy-based configuration, does not include information that does not apply, such as application
sensor name. The remainder of the information and structure of the log message is the same for each log,
regardless of which inspection mode FortiGate is using.

You can also view the details on the Forward Traffic logs pane, where firewall policies record activity. You
can also find a summary of the traffic to which FortiGate applied application control. Again, this is because
application control is applied by a firewall policy. To find out which policy applied application control, you can
review either the Policy ID or the Policy UUID fields of the log message.

FortiGate Security 7.2 Study Guide 327

 Application Control

DO NOT REPRINT
© FORTINET

On the Dashboard menu, the Top Applications standalone page provides details about each application,
such as the application name, category, and bandwidth. You can drill down further to see more granular
details by double-clicking an individual log entry. The detailed view provides information about the source,
destination, policies, or sessions for the selected application.

FortiGate Security 7.2 Study Guide 328

 Application Control

DO NOT REPRINT
© FORTINET

FortiGate Security 7.2 Study Guide 329

 Application Control

DO NOT REPRINT
© FORTINET

Good job! You now understand application control logging and monitoring.

Now, you will learn about application control best practices and troubleshooting.

FortiGate Security 7.2 Study Guide 330

 Application Control

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in application control best practices and troubleshooting, you will be able to
configure and maintain an effective application control solution.

FortiGate Security 7.2 Study Guide 331

 Application Control

DO NOT REPRINT
© FORTINET

This slide lists some best practices to keep in mind when implementing application control on FortiGate.

Not all traffic requires an application control scan. Don’t apply application control to internal-only traffic.

To minimize resource use on FortiGate, be as specific as possible when creating firewall policies. This
reduces resource use, and also helps you build a more secure firewall configuration.

Create identical firewall policies for all redundant internet connections, to ensure that the same inspection is
performed on failover traffic. Select Deep-Inspection instead of Certificate-based inspection for the
SSL/SSH inspection mode, to ensure content inspection is performed on encryption protocols.

FortiGate models that feature specialized chips, such as network processors and content processors, can
offload and accelerate application signature matching for enhanced performance.

You can use a FortiCloud account to save and view application control logs in FortiView, on FortiGate devices
that do not have a log disk.

FortiGate Security 7.2 Study Guide 332

 Application Control

DO NOT REPRINT
© FORTINET

If you are experiencing issues with a FortiGuard application control update, start troubleshooting the issue
with the most basic steps:
• Make sure that FortiGate has a stable connection to the internet or FortiManager (if FortiGate is configured
to receive updates from FortiManager)
• If the internet connection is stable, check DNS resolution on FortiGate
• If FortiGate is installed behind a network firewall, make sure that port443 is being allowed from FortiGate

You can check the FortiGuard website for the latest version of the application control database. If your locally
installed database is out-of-date, try forcing FortiGate to check for the latest updates by running the execute
update-now command.

FortiGate Security 7.2 Study Guide 333

 Application Control

DO NOT REPRINT
© FORTINET

FortiGate Security 7.2 Study Guide 334

 Application Control

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you’ll review the objectives that you covered in this lesson.

FortiGate Security 7.2 Study Guide 335

 Application Control

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to use methods beyond simply blocking
protocols, port numbers, or IP addresses, to monitor and control both standard and non-standard network
applications.

FortiGate Security 7.2 Study Guide 336

 Antivirus

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to use FortiGate to protect your network against viruses.

FortiGate Security 7.2 Study Guide 337

 Antivirus

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiGate Security 7.2 Study Guide 338

 Antivirus

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in antivirus basics, you will be able to understand and apply antivirus on
FortiGate.

FortiGate Security 7.2 Study Guide 339

 Antivirus

DO NOT REPRINT
© FORTINET

Like viruses, which use many methods to avoid detection, FortiGate uses many techniques to detect viruses.
These detection techniques include:
• Antivirus scan: This is the first, fastest, simplest way to detect malware. It detects viruses that are an exact
match for a signature in the antivirus database.
• Grayware scan: This scan detects unsolicited programs, known as grayware, that have been installed
without the user’s knowledge or consent. Grayware is not technically a virus. It is often bundled with
innocuous software, but does have unwanted side effects, so it is categorized as malware. Often, grayware
can be detected with a simple FortiGuard grayware signature.
• Machine learning (AI) scan: These scans are based on probability, so they increase the possibility of false
positives, but they also detect zero-day attacks. Zero-day attacks are malwares that are new, unknown,
and, therefore, have no existing associated signature. If your network is a frequent target, enabling an AI
scan may be worth the performance cost because it can help you to detect a virus before the outbreak
begins. Files detected by AI scan are identified with the W32/AI.Pallas.Suspicious signature.

If all antivirus features are enabled, FortiGate applies the following scanning order: antivirus scan, followed by
grayware scan, followed by AI scan.

FortiGate Security 7.2 Study Guide 340

 Antivirus

DO NOT REPRINT
© FORTINET

What if AI scans are too uncertain? What if you need a more sophisticated, more certain way to detect
malware and find zero-day viruses?

You can integrate your antivirus scans with either FortiSandbox Cloud or a FortiSandbox appliance. Note you
will need to enable cloud sandboxing on the CLI under system global settings for configuration options to
appear on GUI . For environments that require more certainty, FortiSandbox executes the file within a
protected environment (VMs), then examines the effects of the software to see if it is dangerous.

For example, let’s say you have two files. Both alter the system registry and are, therefore, suspicious. One is
a driver installation—its behavior is normal—but the second file installs a virus that connects to a botnet
command and control server. Sandboxing would reveal the difference.

FortiGate can be configured to receive a supplementary signature database from FortiSandbox based on the
sandboxed results.

FortiGate Security 7.2 Study Guide 341

 Antivirus

DO NOT REPRINT
© FORTINET

FortiOS is smart when it comes to determining what files are sent to FortiSandbox. One feature FortiOS uses
for this is content disarm and reconstruction (CDR), a proxy-based feature that you will learn more about in
this lesson. When CDR processes files, the original documents can be saved to FortiSandbox.

FortiGuard provides FortiGate with information based on the current threat climate, that is used to determine if
a file should be deemed suspicious or not. FortiGate provides the administrator with granular control when it
comes to determining what type of files are sent to FortiSandbox for further investigation. Administrators also
have the option to use the FortiSandbox database, in conjunction with the FortiGuard antivirus database, to
enhance their network security.

FortiSandbox inline scanning is supported only in proxy inspection mode. You will need to enable inline
scanning under system fortisandbox settings and then select Inline in the antivirus profile. When the setting is
enabled, the client’s file is held by FortiSandbox for inspection, and an appropriate configured action is applied
once a verdict is returned. Inline scanning is not supported on FortiSandbox Cloud or FortiGate Cloud
Sandbox.

FortiGate Security 7.2 Study Guide 342

 Antivirus

DO NOT REPRINT
© FORTINET

Scheduled updates allow you to configure scheduled updates at regular intervals, such as hourly, daily,
weekly, or automatically within every hour. You can also enable AntiVirus PUP/PUA, which allows antivirus
grayware checks for potentially unwanted programs and applications.

Regardless of which method you select, you must enable virus scanning in at least one firewall policy.
Otherwise, FortiGate will not download any updates. Alternatively, you can download packages from the
Fortinet customer service and support website (requires subscription), and then manually upload them to your
FortiGate. You can verify the update status and signature versions from the FortiGuard page on the GUI or
using the CLI console.

FortiGate Security 7.2 Study Guide 343

 Antivirus

DO NOT REPRINT
© FORTINET

Multiple FortiGuard antivirus databases exist, which you can configure using CLI commands. Support for each
database type varies by FortiGate model.

All FortiGate devices include the extended database. The extended database contains signatures for viruses
that have been detected in recent months, as identified by the FortiGuard Global Security Research Team.
The extended database also detects viruses that are no longer active.

The extreme database is intended for use in high-security environments. The extreme database detects all
known viruses, including viruses targeted at legacy operating systems that are no longer widely used. Most
FortiGate models support the extreme database.

FortiGate Security 7.2 Study Guide 344

 Antivirus

DO NOT REPRINT
© FORTINET

CDR: The CDR removes exploitable content and replaces it with content that's known to be safe. As files are
processed through an enabled antivirus profile, content that's found to be malicious or unsafe is replaced with
content that allows the traffic to continue, but doesn't put the recipient at risk. Content that can be scanned
includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (such as HTTP,
SMTP, IMAP, and POP3—MAPI isn't supported). When the client tries to download the file, FortiGate
removes all exploitable content in real-time, and then sends the original file to FortiSandbox for inspection.
The client can download the original file by logging in to FortiSandbox.

Virus outbreak prevention: This is an additional layer of protection that keeps your network safe from newly
emerging malware. Quick virus outbreaks can infect a network before signatures can be developed to stop
them. Outbreak protection stops these virus outbreaks until signatures become available in FortiGuard.
FortiGate must have a zero-hour virus outbreak (ZHVO) license. FortiGate adds hash-based virus detection
for new threats that are not yet detected by the antivirus signatures. When the file is sent to the scanunit
deamon, buffers are hashed and a request is sent to the urlfilter deamon. After checking against its request
cache for known signatures, the urlfilter deamon sends an antivirus request to FortiGuard with the remaining
signatures. FortiGuard returns a rating that is used to determine if the scanunit deamon should report the file
as harmful or not. Jobs remain suspended in the scanunit deamon until the client receives a response, or the
request times out.

Malware block list: FortiGate can enhance the antivirus database by linking a dynamic external malware block
list to FortiGate. The list is hosted on a web server and is available through HTTP/HTTPS URL defined within
the Security Fabric malware hash list. The hash list can be in the form of MD5, SHA1, and SHA256 hashes,
and is written on separate lines on a plaintext file. The malware block list can be defined as a Security Fabric
connector and configured to pull the list dynamically, by setting the refresh rate.

FortiGate Security 7.2 Study Guide 345

 Antivirus

DO NOT REPRINT
© FORTINET

FortiGate Security 7.2 Study Guide 346

 Antivirus

DO NOT REPRINT
© FORTINET

Good job! You now understand the basics of antivirus functionality.

Now, you will learn about antivirus scanning modes.

FortiGate Security 7.2 Study Guide 347

 Antivirus

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in all antivirus scanning modes available in FortiOS, you will be able to use the
antivirus profile in an effective manner.

FortiGate Security 7.2 Study Guide 348

 Antivirus

DO NOT REPRINT
© FORTINET

AV can operate in flow-based or proxy-based inspection mode, both of which use the full AV database
(extended or extreme–depending on the CLI settings).

Flow-based inspection mode uses a hybrid of the scanning modes available in proxy-based inspection: the
default scanning mode and the legacy scanning mode. The default mode enhances the scanning of nested
archive files without buffering the container archive file. The legacy mode buffers the full container, and then
scans it.

In flow-based inspection mode, the IPS engine reads the payload of each packet, caches a local copy, and
forwards the packet to the receiver at the same time. Because the file is transmitted simultaneously, flow-
based mode consumes more CPU cycles than proxy-based. However, depending on the FortiGate model,
some operations can be offloaded to SPUs to improve performance. When FortiGate receives the last packet
of the file, it puts the packet on hold and sends a copy to the IPS engine. The IPS engine extracts the payload
and assembles the whole file, and then sends the whole file to the AV engine for scanning.

Two possible scenarios can occur when a virus is detected:

• When a virus is detected on a TCP session where some packets have been already forwarded to the
receiver, FortiGate resets the connection and does not send the last piece of the file. Although the receiver
got most of the file content, the file has been truncated and therefore, can’t be opened. The IPS engine
also caches the URL of the infected file, so that if a second attempt to transmit the file is made, the IPS
engine will then send a block replacement message to the client instead of scanning the file again.
• If the virus is detected at the start of the connection, the IPS engine sends the block replacement message
immediately.

FortiGate Security 7.2 Study Guide 349

 Antivirus

DO NOT REPRINT
© FORTINET

As you can see on this slide, the client sends a request and starts receiving packets immediately, but
FortiGate also caches those packets at the same time. When the last packet arrives, FortiGate caches it and
puts it on hold. Then, the IPS engine extracts the payload of the last packet, assembles the whole file, and
sends it to the antivirus engine for scanning. If the antivirus scan does not detect any viruses, and the result
comes back clean, the last cached packet is regenerated and delivered to the client. However, if a virus is
found, the last packet is dropped. Even if the client has received most of the file, the file will be truncated and
the client will be not able to open a truncated file.

Regardless of which mode you use, the scan techniques give similar detection rates. How can you choose
between the scan engines? If performance is your top priority, then flow inspection mode is more appropriate.
If security is your priority, proxy inspection mode—with client comforting disabled—is more appropriate.

FortiGate Security 7.2 Study Guide 350

 Antivirus

DO NOT REPRINT
© FORTINET

Each protocol’s proxy picks up a connection and buffers the entire file first (or waits until the oversize limit is
reached) before scanning. The client must wait for the scanning to finish. If a virus is detected, the block
replacement page is displayed immediately. Because FortiGate has to buffer the whole file and then do the
scanning, it takes a long time to scan. Also, from the client point of view, it has to wait for the scanning to
finish and might terminate the connection due to lack of data.

You can configure client comforting for HTTP and FTP from the config firewall profile-protocol-
options command tree. This allows the proxy to slowly transmit some data until it can complete the buffer
and finish the scan. This prevents a connection or session timeout. No block replacement message appears
in the first attempt, as FortiGate is transmitting the packets to the end client.

Using proxy inspection antivirus allow you to use the stream-based scanning, which is enabled by default.
Stream-based scanning scans large archive files by decompressing the files and then scanning and extracting
them at the same time. This process optimized memory utilization to conserve resources on FortiGate.
Viruses are detected even if they are in the middle or towards the end of these large files.

FortiGate Security 7.2 Study Guide 351

 Antivirus

DO NOT REPRINT
© FORTINET

With a proxy inspection mode scan, the client sends a request and FortiGate starts buffering the whole file,
then sends it to the antivirus engine for scanning. If the file is clean (without any viruses), FortiGate starts
transmitting the file to the end client. If a virus is found, no packets are delivered to the end client and the
proxy sends the replacement block message to the end client.

FortiGate Security 7.2 Study Guide 352

 Antivirus

DO NOT REPRINT
© FORTINET

Applying a proxy-based antivirus profile requires two sections in FortiGate configuration to use non-default
settings:
1. Antivirus profile
2. Firewall policy

Antivirus profile provides the option to select a proxy-based approach as the inspection mode within the
profile. This allows the profile to inspect MAPI and SSH protocols traffic, as well as to sanitize Microsoft
documents and PDF files using the content disarm and reconstruction (CDR) feature.

If the inspection mode on the antivirus profile is set to Proxy-based, it is only available when the firewall
policy inspection mode is set to Proxy-based.

FortiGate Security 7.2 Study Guide 353

 Antivirus

DO NOT REPRINT
© FORTINET

FortiGate Security 7.2 Study Guide 354

 Antivirus

DO NOT REPRINT
© FORTINET

Good job! You now understand antivirus scanning modes.

Now, you will learn about antivirus configuration.

FortiGate Security 7.2 Study Guide 355

 Antivirus

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in antivirus configuration, including reviewing antivirus logs, you will be able to
use the antivirus profile in an effective manner.

FortiGate Security 7.2 Study Guide 356

 Antivirus

DO NOT REPRINT
© FORTINET

The antivirus profile can be configured on the AntiVirus page. Since the default inspection mode on a firewall
policy is flow-based, Feature set is required to be set to Flow-based. If the inspection mode of the firewall
policy is proxy-based, Feature set can be set to Proxy-based, which allows specific functions that are only
available using proxy-based inspection mode firewall policy such as MAPI protocol and CDR.

Both feature sets provide the following options:

APT Protection Options:
• Treat Windows executables in email attachment as viruses: By default, this option is enabled and files
(including compressed files) identified as Windows executables can be treated as viruses.
• Send files to FortiSandbox for inspection: If FortiSandbox cloud or appliance is configured, you can
configure the antivirus profile to send malicious files to FortiSandbox for behaviour analysis. If tagged as
malicious, any future files matching the same behavior will be blocked if Use FortiSandbox database is
enabled.

Virus Outbreak Prevention:

• Use FortiGuard Virus outbreak prevention database: FortiGuard virus outbreak prevention is an
additional layer of protection that keeps your network safe from newly emerging malware. Quick virus
outbreaks can infect a network before signatures can be developed to stop them. Outbreak protection
stops these virus outbreaks until signatures become available on FortiGuard.
• Use external malware block List: FortiGate can enhance the antivirus database by linking a dynamic
external malware block list to FortiGate. Malware block list can be defined as a Security Fabric connector
and configured to pull the list dynamically by setting the refresh rate.

In the antivirus profile, you can define what FortiGate should do if it detects an infected file. After you configure
an antivirus profile, you must apply it in the firewall policy.

FortiGate Security 7.2 Study Guide 357

 Antivirus

DO NOT REPRINT
© FORTINET

Protocol options provide more granular control than antivirus profiles. You can configure protocol port
mappings, common options, web options, and email options, to name a few.

You can configure protocol options on the Protocol Options page on the GUI or from the CLI. Protocol
options are used by antivirus and other security profiles, such as web filtering, DNS filtering, and data loss
prevention (DLP), to name a few.

Once protocol options are configured, they are applied in the firewall policy.

FortiGate Security 7.2 Study Guide 358

 Antivirus

DO NOT REPRINT
© FORTINET

So what is the recommended buffer limit? It varies by model and configuration. You can adjust the
oversize-limit for your network for optimal performance. A smaller buffer minimizes proxy latency (for
both scanning modes) and RAM usage, but that may allow viruses to pass through undetected. When a buffer
is too large, clients may notice transmission timeouts. You need to balance the two.

If you aren’t sure about the value to set oversize-limit to, you can temporarily enable oversize-log to
see if your FortiGate is scanning large files frequently. You can then adjust the value accordingly.

Files that are bigger than the oversize limit are bypassed from scanning. You can enable logging of oversize
files by enabling the oversize-log option from the CLI.

FortiGate Security 7.2 Study Guide 359

 Antivirus

DO NOT REPRINT
© FORTINET

Large files are often compressed. When compressed files go through scanning, the compression acts like
encryption: the signatures won't match. So, FortiGate must decompress the file in order to scan it.

Before decompressing a file, FortiGate must first identify the compression algorithm. Some archive types can
be correctly identified using only the header. Also, FortiGate must check whether the file is password
protected. If the archive is protected with a password, FortiGate can’t decompress it, and, therefore, can’t
scan it.

FortiGate decompresses files into RAM. Just like other large files, the RAM buffer has a maximum size.
Increasing this limit may decrease performance, but it allows you to scan larger compressed files.

If an archive is nested—for example, if an attacker is trying to circumvent your scans by putting a ZIP file
inside the ZIP file—FortiGate will try to undo all layers of compression. By default, FortiGate will attempt to
decompress and scan up to 12 layers deep, but you can configure it to scan up to the maximum number
supported by your device (usually 100). Often, you shouldn’t increase this setting because it increases RAM
usage.

FortiGate Security 7.2 Study Guide 360