FortiGate: Application Control (FortiOS 6.4.0)

Figure out what Applications are going across your network and GET CONTROL of your security!

Awesome and straight to the point Video! Keep those coming, mike! :)

You are a great teacher. Thank you.

I am about to start a new job as a Cybersecurity Analyst and now i know if will be managing many fortigate. I have never touched one before but viewing your videos has given me a relief. Thank you Mike.

Seeing System -> Settings -> NGFW mode was very helpful. Thanks!

Thank you for making the first completely understandable tutorial I've seen about the fortigate. Cheers.

Thanks for sharing this content, I'm subscribed and hit the notification button, Good stuff man keep it up, im 100% focused on Fortinet and PALO for now, i think they are super good.

Great video Mike, very useful

Thank you for your very instructive videos.

Just watched once.. getting addicted..and subscribed... You deserve it...

You're the man!

Thank you for another good production.

Good demo, thanks.

Thank you!

Mike, you've been helping me a lot! Thanks.
Now I'm putting an 80F 6.4.10 into service. The idea is to use Policy-Based and to do fairly heavy Application-Based blocking. A couple of issues for me:
- I don't know what applications are in use so I have to figure that out by capturing them.
- As you've suggested, I have logging set up but don't know what to look for to see just application accesses. Then, I'd pick the commonly-used production apps to Allow.
That's sort of a "white list" approach and I'm a bit leery of doing that as there will no doubt be a long learning curve

great! tnx

Great video! which is better to us in an environment, UTM Profile or Policy Profile driven policy? Thank you Mike for great content.

Nice Video,
Have u observed when selecting Flow mode or proxy mode in fw policy (New feature from 6.2) the UTM doesnt get change. as Flow mode only support less UTM features like VOIP it doesnt support.
Also when u click on creating web-filter for Flow based from Policy then it shows you proxy web-filter.

Great video man, want to know if the same block we can do with the profile-bases and the policy base, so excecutives can have access to youtube and the rest dont.

Hi Mike. Appreciate your tutorial. Well, do you have a tutorial on configuration bridge lan as a domestic link?. Thank you

Thx

Thanks for your demo, May I know how to setup executive youtube in FortiGate 101F?

Please in the app category can i find STBemu for iptv to allow on fortigate ?

For fortigate, I think this is a must feature to know your traffic readable in fortiview, else it is very hard to know where is the traffic in and out with what application in use.
From fortiview can see clearly what application is in use and some of the vendors like aws, teamviewer have a lot of IP, so this feature filter all it.
And recently I found that the services function also can use base on vendors services, this is awesome and I hope more vendors will be cover by fortigate for example some could base antivirus like Cybereason, Crowdsrtike etc.
Great video.

is it better to use dns filter to block a website ? what is the advantage of using layer 7 inspection

Hi Mike , Under Application control , we are having two options " Network Service" and " General Internet" could you please tell me which of them should be allowed and which need to be block . Please share guidelines for the same

hi there nice tutorial after i add the firewall i couldnt download any applications can you please tell me how to do that? im new to fortigate environment please let me know thank you

Hi Mike, thanks for sharing your knowledge. DO you have any videos how to block Skype, whatsapp or any other video calling applications but allow the messaging only of those apps?

Nice, just came across your channel while I was looking for info about having both Tunnel and Bride mode for FortiAP. My WiFi thoruput is slow (currently in tunnel mode), so I'm considering switching over to bridge mode. I have several SSID's and would like to keep them is possible. Glad I stopped to listen, will definitely watch all your other videos...
I'm one of those that have spent hours trying to figure things out, as frustrating as it is at times it is a good learning experience. I have a 60F I use for home and work.
I do have one question regarding the CATCH-ALL to allow all other traffic out. Wouldn't one want it to deny all other traffic because the other policies are taking care of what you allow out? This is probably a silly question....Thanks for doing the videos..the answer I'm looking for is probably in one of your other videos. Take care and Thanks !!!

How do you apply application and web filters to mobile phones ? These filters are only working on computers.

Hi Mike, thanks for your video.
I have a question regarding the "Allow and Log DNS Traffic" application control profile option. The only info I managed to find regarding this option is that we should only enable it during investigation.
1/ when the option is enabled which DNS requests will be logged ? all dns requests ?
2/ where can I find the logged DNS requests ?
3/ Disabling this option is supposed to block DNS traffic ?
I setup a small lab, and disabling the option didn't lead to block DNS requests .
I wasn't able to find the documentation regarding what this option does excatly ...
any help would be appriciated :)
many thanks,

Difference with "internet services" as destination ?

Can we block 3DES in application control? thanks

Thank you for this very informative video.
Question - for a security policy, if i dont have any app control profile applied to it, does it still identify application traffic? or does it just show up on the logs as a standard firewall port based traffic?
I guess what I am asking is, if I want the app to be identified (whether i want it blocked or not), do I always need an app control profile?
Thank you in advance.

Hello, i have a prept configuration file to upload to a Firewall Fortigate 61F. But i don't now how. Can you provide me some information please?

Question: Fortigate has been blocking my spotify how do I resolve it?

Sir please uploaded all videos of fortigate firewall

Hi Mike. Really appreciate your work (and your wit). Would you consider making A to Z Fortinet courses on a platform such as Udemy ? Don't get me wrong, free stuff for the community is so valuable, but I know I would definitely subscribe to a complete and organized course (sections, labs, etc.).

Hi Mike, I have a cuestion about the user. The user "mike" is configured in active directory server? For ex: I have a domain user "max". The FG can identify "max" as domain user? In other words, the FG can identify the user logged in domain PC?

Awesome video.... I'm not able to find the link you mentioned to work on the tweak of the app control BASE.

How to block RDP in fortuner firewall sir

NIce video man, best regads from Mexico, i didt now obut de second way you block youtube, have a nice day

Which mode most of the enterprise prefers policy-based or profile-based ?

can u make video tutorial where we can control or allow all whatsapp call traffic to other Branch fortinet ISP in site to site fortinet scenario and all other internet traffic to stay and go in HQ fortinet ISP

Amazing stuff as always!
Qq does NGFW/policy mode also require ssl w deep packet inspection?
Thinking of shifting gears over to that style (been in legacy profile-based since forever)

Hi Mike, I'm trying to figure out how to let the kids get on youtube for 30 minutes a day. I can't seem to get it working. Have you done timers with it yet?

how to block psiphone proxy software by fortinet firewall

Great Video. Google Chrome is allowing RUclips traffic even if it blocked. How to fix that

Hi Mike. I'm struggling a bit with my Infrastructure Specialist role because our consultant IT Manager is also a kind of technician in his company and he's very intrusive with the work I do. Nowadays he's insisting in putting in place super LAN2WAN restrictions going back to L3-4 traditional firewall rules sending to trash all the troubleshooting work I've done to fine-tune applicationcontrol and webfilter based firewall policies. For example he's applying L4 service filters on policies to which application control is already applied. Doing so, if policy is matched when outgoing service is HTTPS, when firewall sees let's say a Microsoft Teams call which is a non-HTTPS connection it shouldn't match the rule and go forward until it matches implicit deny all, right?

Hey Fortinet Guru,
Restricted SaaS access do the video its very help to all.

Bro can u help me on how to block a portion of youtube and limit it to education only?

As per information available in FortiOS-6.2.4-Cookbook.pdf - page 276, All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_
File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep
information in the network packets.
For cloud apps, this requirement of having SSL Inspection set to deep-inspection in the firewall policy is NOT specified in FortiOS-6.0-Handbook.pdf
Q1: Does cloud application control work in v6.0.X, with the default SSL inspection profile, without doing SSL full-inspection (as this requirement isn´t specified in Forti´s official documentation)?
Q2: For cloud apps and the default SSL inspection profile, can the main App be controlled in the security policies (i.e. Facebook) but any dependent App (i.e. Facebook chat) cannot be controlled (allowed/blocked/ etc...)?
Q3: Why do cloud apps have this requirement for SSL deep-inspection, but other apps do not need SSL deep-inspection enabled?

What happened to your hair?