Description
By configuring port enforcement check in application control, block application running on the non-standard TCP/IP ports is possible.
This article describes this feature.
Solution
Most networking applications run on specific ports. For example, SSH runs on port 22, and Facebook runs on ports 80 and 443.
If the default network service is enabled in the Application Control profile, a port enforcement check is done at the application profile level, and any detected application signatures running on the non-standard TCP/IP port are blocked. This means that each application allowed by the app control sensor is only run on its default port.
To set port enforcement check from the CLI.
To set port enforcement check From the GUI.
1) Go to the Application control.
2) Select the profile and select 'edit'.
3) Under the options, enable the 'Block applications detected on non-default ports'.
4) Go to the 'Application and Filter Overrides'
5) 'Create New' and select the application.
6) Select 'add selected' and choose the action 'allow or monitor'.
7) Select 'OK'.
Note.
For monitor or allow action, application will be blocked if detected on non-default ports (as defined in FortiGuard application signatures).
Block action still block all traffic for application regardless of port.
By configuring port enforcement check in application control, block application running on the non-standard TCP/IP ports is possible.
This article describes this feature.
Solution
Most networking applications run on specific ports. For example, SSH runs on port 22, and Facebook runs on ports 80 and 443.
If the default network service is enabled in the Application Control profile, a port enforcement check is done at the application profile level, and any detected application signatures running on the non-standard TCP/IP port are blocked. This means that each application allowed by the app control sensor is only run on its default port.
To set port enforcement check from the CLI.
# config application listFor example, when applying the above application control profile, FTP traffic with the standard port (port 21) is allowed, while the non-standard port (port 2121) is blocked.
edit "default_port"
set enforce-default-app-port {enable | disable}
# config entries
edit 1
set application 15896
set action pass
next
end
next
end
To set port enforcement check From the GUI.
1) Go to the Application control.
2) Select the profile and select 'edit'.
3) Under the options, enable the 'Block applications detected on non-default ports'.
4) Go to the 'Application and Filter Overrides'
5) 'Create New' and select the application.
6) Select 'add selected' and choose the action 'allow or monitor'.
7) Select 'OK'.
Note.
For monitor or allow action, application will be blocked if detected on non-default ports (as defined in FortiGuard application signatures).
Block action still block all traffic for application regardless of port.
