FortiGate: Application Control (FortiOS 6.4.0)

Поділитися
Вставка
  • Опубліковано 8 лис 2024

КОМЕНТАРІ • 67

  • @FortinetGuru
    @FortinetGuru  4 роки тому +5

    Figure out what Applications are going across your network and GET CONTROL of your security!

  • @carlossanchez3739
    @carlossanchez3739 3 роки тому

    I am about to start a new job as a Cybersecurity Analyst and now i know if will be managing many fortigate. I have never touched one before but viewing your videos has given me a relief. Thank you Mike.

  • @cjlabbe
    @cjlabbe Рік тому

    Seeing System -> Settings -> NGFW mode was very helpful. Thanks!

  • @Jlousauvage
    @Jlousauvage 2 роки тому

    Thank you for making the first completely understandable tutorial I've seen about the fortigate. Cheers.

  • @VijayaBaskarvvk
    @VijayaBaskarvvk 3 роки тому

    Just watched once.. getting addicted..and subscribed... You deserve it...

  • @youngcchung8176
    @youngcchung8176 4 роки тому +3

    You are a great teacher. Thank you.

  • @fredmarshall8735
    @fredmarshall8735 2 роки тому

    Mike, you've been helping me a lot! Thanks.
    Now I'm putting an 80F 6.4.10 into service. The idea is to use Policy-Based and to do fairly heavy Application-Based blocking. A couple of issues for me:
    - I don't know what applications are in use so I have to figure that out by capturing them.
    - As you've suggested, I have logging set up but don't know what to look for to see just application accesses. Then, I'd pick the commonly-used production apps to Allow.
    That's sort of a "white list" approach and I'm a bit leery of doing that as there will no doubt be a long learning curve

  • @theywillcome843
    @theywillcome843 3 роки тому

    Thank you for your very instructive videos.

  • @tekatiescholasticateerite1084

    Hi Mike. Appreciate your tutorial. Well, do you have a tutorial on configuration bridge lan as a domestic link?. Thank you

  • @mauriciojosealmontebatista2284
    @mauriciojosealmontebatista2284 3 роки тому

    Thanks for sharing this content, I'm subscribed and hit the notification button, Good stuff man keep it up, im 100% focused on Fortinet and PALO for now, i think they are super good.

  • @RaviChinasamy
    @RaviChinasamy 4 роки тому +1

    Awesome and straight to the point Video! Keep those coming, mike! :)

  • @tknocan
    @tknocan 2 роки тому

    Great video man, want to know if the same block we can do with the profile-bases and the policy base, so excecutives can have access to youtube and the rest dont.

  • @crystalku8554
    @crystalku8554 2 роки тому

    Thanks for your demo, May I know how to setup executive youtube in FortiGate 101F?

  • @anilbeharry
    @anilbeharry 4 роки тому +1

    Thank you for another good production.

  • @hennessy6996
    @hennessy6996 2 роки тому

    Good demo, thanks.

  • @roflolo
    @roflolo 4 роки тому +7

    Hi Mike. Really appreciate your work (and your wit). Would you consider making A to Z Fortinet courses on a platform such as Udemy ? Don't get me wrong, free stuff for the community is so valuable, but I know I would definitely subscribe to a complete and organized course (sections, labs, etc.).

  • @watsonjosue3170
    @watsonjosue3170 4 роки тому

    Great video! which is better to us in an environment, UTM Profile or Policy Profile driven policy? Thank you Mike for great content.

  • @andresparraagramont5605
    @andresparraagramont5605 4 роки тому

    Great video Mike, very useful

  • @gcvillamorify
    @gcvillamorify 2 роки тому

    Hi Mike, thanks for sharing your knowledge. DO you have any videos how to block Skype, whatsapp or any other video calling applications but allow the messaging only of those apps?

  • @RoshanZakky
    @RoshanZakky 2 роки тому

    hi there nice tutorial after i add the firewall i couldnt download any applications can you please tell me how to do that? im new to fortigate environment please let me know thank you

  • @zachthatguy7391
    @zachthatguy7391 2 роки тому

    You're the man!

  • @massimilianodefalco4067
    @massimilianodefalco4067 2 роки тому

    Hi Mike, I have a cuestion about the user. The user "mike" is configured in active directory server? For ex: I have a domain user "max". The FG can identify "max" as domain user? In other words, the FG can identify the user logged in domain PC?

  • @SantoshSharma
    @SantoshSharma 4 роки тому

    Nice Video,
    Have u observed when selecting Flow mode or proxy mode in fw policy (New feature from 6.2) the UTM doesnt get change. as Flow mode only support less UTM features like VOIP it doesnt support.
    Also when u click on creating web-filter for Flow based from Policy then it shows you proxy web-filter.

  • @pvprakashpv
    @pvprakashpv 3 роки тому +1

    Great Video. Google Chrome is allowing UA-cam traffic even if it blocked. How to fix that

    • @FortinetGuru
      @FortinetGuru  3 роки тому +1

      Are you allowing QUIC? It will bypass some threat protections if you are.

  • @ebosac8813
    @ebosac8813 3 роки тому

    Please in the app category can i find STBemu for iptv to allow on fortigate ?

  • @leetanizer
    @leetanizer 2 роки тому

    Hi Mike, thanks for your video.
    I have a question regarding the "Allow and Log DNS Traffic" application control profile option. The only info I managed to find regarding this option is that we should only enable it during investigation.
    1/ when the option is enabled which DNS requests will be logged ? all dns requests ?
    2/ where can I find the logged DNS requests ?
    3/ Disabling this option is supposed to block DNS traffic ?
    I setup a small lab, and disabling the option didn't lead to block DNS requests .
    I wasn't able to find the documentation regarding what this option does excatly ...
    any help would be appriciated :)
    many thanks,

  • @jefflambert7513
    @jefflambert7513 4 роки тому

    Nice, just came across your channel while I was looking for info about having both Tunnel and Bride mode for FortiAP. My WiFi thoruput is slow (currently in tunnel mode), so I'm considering switching over to bridge mode. I have several SSID's and would like to keep them is possible. Glad I stopped to listen, will definitely watch all your other videos...
    I'm one of those that have spent hours trying to figure things out, as frustrating as it is at times it is a good learning experience. I have a 60F I use for home and work.
    I do have one question regarding the CATCH-ALL to allow all other traffic out. Wouldn't one want it to deny all other traffic because the other policies are taking care of what you allow out? This is probably a silly question....Thanks for doing the videos..the answer I'm looking for is probably in one of your other videos. Take care and Thanks !!!

  • @bboosss1065
    @bboosss1065 4 роки тому

    is it better to use dns filter to block a website ? what is the advantage of using layer 7 inspection

  • @piratev20
    @piratev20 4 роки тому

    Hi Mike , Under Application control , we are having two options " Network Service" and " General Internet" could you please tell me which of them should be allowed and which need to be block . Please share guidelines for the same

  • @thom71
    @thom71 3 роки тому +1

    Hi Mike, I'm trying to figure out how to let the kids get on youtube for 30 minutes a day. I can't seem to get it working. Have you done timers with it yet?

    • @FortinetGuru
      @FortinetGuru  3 роки тому +1

      You could do quotas but that is more on bandwidth. Time wise I suppose you could do a policy with a 30 minute schedule assigned to it and let them know they can only get to UA-cam from 11-11:30 etc? 😂

    • @thom71
      @thom71 3 роки тому +1

      @@FortinetGuru I was trying to use the time based quotas that are in 6.4. The problem is these stinking chromebooks the kids have from school. I may have to open a ticket with Fortinet and try and get it working.

  • @3kneeboi
    @3kneeboi Рік тому

    How do you apply application and web filters to mobile phones ? These filters are only working on computers.

  • @ahanabhattacharya3994
    @ahanabhattacharya3994 2 роки тому

    Question: Fortigate has been blocking my spotify how do I resolve it?

  • @maxysadm
    @maxysadm 4 роки тому

    Awesome video.... I'm not able to find the link you mentioned to work on the tweak of the app control BASE.

    • @ITNerdistan
      @ITNerdistan 4 роки тому

      It is in this video, about half way through ua-cam.com/video/mC3xvZWFMtY/v-deo.html

  • @daphenom
    @daphenom 4 роки тому

    Thank you for this very informative video.
    Question - for a security policy, if i dont have any app control profile applied to it, does it still identify application traffic? or does it just show up on the logs as a standard firewall port based traffic?
    I guess what I am asking is, if I want the app to be identified (whether i want it blocked or not), do I always need an app control profile?
    Thank you in advance.

    • @FortinetGuru
      @FortinetGuru  4 роки тому +1

      You need an application sensor applied to the policy passing traffic in order to view the app data. Fortinet does not auto ID like Palo Alto does.

  • @cwong59
    @cwong59 3 роки тому

    Can we block 3DES in application control? thanks

  • @sayfarouaia4798
    @sayfarouaia4798 5 місяців тому

    Difference with "internet services" as destination ?

  • @ndloh
    @ndloh 4 роки тому

    For fortigate, I think this is a must feature to know your traffic readable in fortiview, else it is very hard to know where is the traffic in and out with what application in use.
    From fortiview can see clearly what application is in use and some of the vendors like aws, teamviewer have a lot of IP, so this feature filter all it.
    And recently I found that the services function also can use base on vendors services, this is awesome and I hope more vendors will be cover by fortigate for example some could base antivirus like Cybereason, Crowdsrtike etc.
    Great video.

  • @stefpm8653
    @stefpm8653 3 роки тому

    Hello, i have a prept configuration file to upload to a Firewall Fortigate 61F. But i don't now how. Can you provide me some information please?

  • @lenders1164
    @lenders1164 4 роки тому +2

    Amazing stuff as always!
    Qq does NGFW/policy mode also require ssl w deep packet inspection?
    Thinking of shifting gears over to that style (been in legacy profile-based since forever)

  • @MaxPilloni
    @MaxPilloni Рік тому

    Hi Mike. I'm struggling a bit with my Infrastructure Specialist role because our consultant IT Manager is also a kind of technician in his company and he's very intrusive with the work I do. Nowadays he's insisting in putting in place super LAN2WAN restrictions going back to L3-4 traditional firewall rules sending to trash all the troubleshooting work I've done to fine-tune applicationcontrol and webfilter based firewall policies. For example he's applying L4 service filters on policies to which application control is already applied. Doing so, if policy is matched when outgoing service is HTTPS, when firewall sees let's say a Microsoft Teams call which is a non-HTTPS connection it shouldn't match the rule and go forward until it matches implicit deny all, right?

    • @FortinetGuru
      @FortinetGuru  Рік тому

      App control gives you the ability to limit based on applications. Using straight layer 3-4 traditional firewall rules is rudimentary for the use case you are mentioning. Not sure how we can tweak that to meet your managers needs without giving him a lesson or two on NGFWs. Are you running UTM mode or NGFW Mode? If NGFW mode, there is no reason to limit by Layer 3/4 because applications will be taken into consideration anyways. Also, most services run on CDNs now so locking stuff down by IP is a crazy ask.

  • @basavarajhosamani1577
    @basavarajhosamani1577 2 роки тому

    Hey Fortinet Guru,
    Restricted SaaS access do the video its very help to all.

  • @saifemran4528
    @saifemran4528 4 роки тому +1

    Thank you!

  • @GoldenBoy40ro
    @GoldenBoy40ro 3 роки тому

    NIce video man, best regads from Mexico, i didt now obut de second way you block youtube, have a nice day

  • @jaganorissa
    @jaganorissa 4 роки тому

    Which mode most of the enterprise prefers policy-based or profile-based ?

    • @FortinetGuru
      @FortinetGuru  4 роки тому +2

      Most are running Profile mode. Most dont run policy based on Fortinet devices yet. I'm going to start trying though :P

    • @bernhardroth8034
      @bernhardroth8034 4 роки тому +1

      @@FortinetGuru This is a very good point. From my experience the profile mode is much more stable and evolved than policy mode. Visibility seems to be much better in profile mode as well. There are so many small issues, tweaks and bugs when using policy mode in production.
      Policy mode may be the future but man, Forti Q&A department needs to hire!

  • @sidhardha1
    @sidhardha1 2 роки тому

    Sir please uploaded all videos of fortigate firewall

  • @sidhardha1
    @sidhardha1 2 роки тому

    How to block RDP in fortuner firewall sir

  • @MTESKEREDIC
    @MTESKEREDIC 2 роки тому

    Thx

  • @shanavazks224
    @shanavazks224 3 роки тому

    can u make video tutorial where we can control or allow all whatsapp call traffic to other Branch fortinet ISP in site to site fortinet scenario and all other internet traffic to stay and go in HQ fortinet ISP

  • @din883
    @din883 4 роки тому

    great! tnx

  • @hotximin6008
    @hotximin6008 4 роки тому

    As per information available in FortiOS-6.2.4-Cookbook.pdf - page 276, All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_
    File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep
    information in the network packets.
    For cloud apps, this requirement of having SSL Inspection set to deep-inspection in the firewall policy is NOT specified in FortiOS-6.0-Handbook.pdf
    Q1: Does cloud application control work in v6.0.X, with the default SSL inspection profile, without doing SSL full-inspection (as this requirement isn´t specified in Forti´s official documentation)?
    Q2: For cloud apps and the default SSL inspection profile, can the main App be controlled in the security policies (i.e. Facebook) but any dependent App (i.e. Facebook chat) cannot be controlled (allowed/blocked/ etc...)?
    Q3: Why do cloud apps have this requirement for SSL deep-inspection, but other apps do not need SSL deep-inspection enabled?

  • @_tube1964
    @_tube1964 2 роки тому

    how to block psiphone proxy software by fortinet firewall

  • @ebosac8813
    @ebosac8813 3 роки тому

    Bro can u help me on how to block a portion of youtube and limit it to education only?

  • @jko1501
    @jko1501 2 роки тому

    What happened to your hair?

    • @FortinetGuru
      @FortinetGuru  2 роки тому

      ? It changes wildly due to making videos so far apart lol