This article describes how to leverage FortiGate’s NGFW firewall capabilities to inspect application layer or payload of a packet and block usage of Google applications using application signatures.
Table of Contents
Scope
FortiGate.
Solution
Google Drive vs Google Docs
The difference between the two applications is the application signature and category for each at FortiGuard labs:
- Google.Drive_File.upload is listed under ‘Storage’ category for online storage of files.
- Google.Docs_File.Upload is under the ‘Collaboration’ category for which includes tools such as remote meeting tools.
Blocking the applications based on signatures
- Create or use one of the default application control profiles under: Security profiles -> Application Control.
- Notice that both the Storage and Collaboration categories are set to the ‘Monitor’ action.
- At the Application and Filter Overrides table, select ‘Create New’.
- In the new window, keep the the Application tab selected and search for both applications.
- Select both applications, then right-click on any of them and select the option ‘Selected’.
- Keep the action set to Block and save by selecting OK then hit the OK button again on the original profile window to save all changes.
- Go to Policy&Objects -> Firewall Policy and create the firewall policy to allow users to access traffic to internet with the necessary config, such as NAT. Make sure to enable Application Control and select the profile the application override for both Google applications was added to.
- Enable the SSL inspection profile and select Deep Packet Inspection. Make sure to enable logging for All Sessions, then save the changes by selecting the OK button.
- It may be necessary to install the Fortinet factory certificate installed on the SSL inspection profile. Otherwise, all browser activity will have a certificate warning due to the non-trusted certificate installed on the Deep Packet Inspection profile. Alternatively, purchase a trusted certificate, install in on the firewall and use it for the SSL inspection profile.
- Test the traffic by access Google Docs or Google Drive websites and the result should be redirection to an application control block page.
CLI example
config firewall policy edit 3 set name "internet" set uuid 074934c6-2526-51ef-19e0-5c2e135a5b11 set srcintf "port1" set dstintf "port2" set action accept set srcaddr "10.10.1.0-net" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "deep-inspection" set ips-sensor "default" set application-list "default" set logtraffic all set nat enable next end config application list edit "default" set comment "Monitor all applications." config entries edit 1 set application 16541 32121 next edit 2 set action pass next end next end
Example log event
86: date=2024-06-07 time=16:57:49 eventtime=1717804669793761154 tz="-0700" logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="r oot" appid=16541 srcip=10.10.1.2 srccountry="Reserved" dstip=142.251.41.46 dstcountry="United States" srcport=61514 dstport=443 srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" proto=6 service="SSL" direction="outgoing" policyid=3 poluuid="074934c6-2526-51ef-19e0-5c2e135a5b11" policytype="policy" sessi onid=6851633 applist="default" action="block" appcat="Collaboration" app="Google.Docs" hostname="docs.google.com" incidentserialno=267389113 url="/" msg="Collaboration : Google.Docs" apprisk="elevated"