Blocking P2P traffic and YouTube applications

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will learn how to use Application Control to monitor traffic and determine if there are any applications currently in use that should not have network access. If you discover any applications that you wish to block, application control will then be used to ensure that these applications cannot access the network.

1. Enabling Application Control and multiple security profiles

Go to System > Config > Features and ensure that Application Control is turned ON.

Select Show More and enable Multiple Security Profiles.

Apply the changes.

2. Using the default application profile to monitor network traffic

Go to Security Profiles > Application Control and view the default profile.

A list of application Categories is shown. By default, most categories are already set to Monitor. In order to monitor all applications, select All Other Known Applications and set it to Monitor. Do the same for All Other Unknown Applications.

The default profile also has Deep Inspection of Cloud Applications turned ON. This allows web-based applications, such as video streaming, to be monitored by your FortiGate.

3. Adding the default profile to a security policy

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Under Security Profiles, turn on Application Control and use the default profile.

Enabling Application Control will automatically enable SSL Inspection. In order to inspect traffic from Cloud Applications, the deep-inspection profile must be used.

3. Reviewing the FortiView dashboards

Go to System > FortiView > Applications and select the now view.

This dashboard shows the traffic that is currently flowing through your FortiGate, arranged by application (excluding Cloud Applications).

If you wish to know more about an application’s traffic, double-click on its entry to view drilldown information, including traffic sources, traffic destinations, and information about
individual sessions.

Similar information can be viewed for Cloud Applications by going to System > FortiView > Cloud Applications and selecting Applications that have been used in the last 5 Minutes.

Cloud Applications also have drilldown options, including the ability to see which videos have been viewed if streaming video traffic was detected.

5. Creating an application profile to block applications

In the above example, traffic from BitTorrent, a Peer-to-Peer (P2P) downloading application, was detected. Next, you will create an application control profile that will block P2P traffic.

The new profile will also block all applications associated with YouTube, without blocking other applications in the Video/Audio category.

 

Go to Security Profiles > Application Control and create a new profile.

Select the P2P category and set it to Block.

Under Application Overrides, select Add Signatures.

Search for Youtube and select all the signatures that are shown.

Select Use Selected Signatures.

The signatures have been added to the Application Overrides list and have automatically been set to Block.

Enable Deep Inspection of Cloud Applications.

6. Adding the blocking profile to a security policy

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Set Application Control to use the new profile.

7. Results

Attempt to browse to YouTube. A warning message will appear, stating that the application was blocked.

Traffic from BitTorrent applications will also be blocked.

To see information about this blocked traffic, go to System > FortiView > All Sessions, select the 5 minutes view, and filter the traffic by application.

For further reading, check out Application control in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings.
Because Application Control uses flow-based inspection, if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the replacement message. However, Application Control will still function.
  • Victoria Martin

    That does sound like a possible explanation, however I would still recommend that you contact Support, since they can look into the issue in more detail than I am able to.

  • Tran Ngoc Quan

    Hi ,
    I make a profile for blocking skype . It ‘s ok . But this profile also blocks Outlook.com & outlook.office365.com .
    Could you give me some advices about this case?
    Quan Tran

    • Victoria Martin

      Hello,

      Would you be able to share a screenshot of your Application Control profile?

      • Tran Ngoc Quan

        Okie Ms Martin.

        I send you a screenshot about Security Profile.

        Thank you very much for your support

        Quan Tran

        • Victoria Martin

          Hello again,

          After looking at your profile, I don’t see anything that should be blocking Outlook and so I would suggest that you contact Support, so someone can take a more in-depth look at your configuration. Before doing that, I’d recommend that you read our article about working with Fortinet Support, as it can help make the process easier for you. You can find it at http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

          I hope that helps!

          • Tran Ngoc Quan

            Thanks for your reply.

            Because webmail Outlook.com & Outlook.office365.com still have skype on it. So i think this one stopped me log on webmail when i active this profile.

            Can you give me your email ? We can talk more detail through email. 🙂 🙂

            This is my email : quan.tn1989@gmail.com

            Thank you

            Quan Tran

  • Arief Arovah

    Hi Victoria,

    I already followed your tutorial for my fortigate to block utorrent application but it didn’t work. i have block all of p2p category in application but it didn’t work too. I use Fortigate 60 D with Firmware Versionv5.0,build0271 (GA Patch 6). What should i do ? Thank You

    • Victoria Martin

      Hi Arief,

      This recipe was written for the 5.2 firmware, so there may be some differences between how the configuration was done. There is a version of it that was written for 5.0, which you can find here: http://docs.fortinet.com/uploaded/files/1656/controlling-network-access-using-application-control.pdf

      One thing that I can think of that might be affecting your filter would be whether or not you are using full SSL inspection. Some applications may use encrypted traffic, so full SSL inspection is required to block everything. I will be adding a note about that to this recipe, since it seems to have been missed when it was initially written.

      I hope that helps!

      • Arief Arovah

        Hi Victoria, thank you for your response. Should i upgrade my firmware ? But i’m afraid if failed on progress upgrade, my fortigate will be damage. What should i do? but less risk? Thank You

        • Victoria Martin

          Hi Arief,

          You should not have to upgrade your firmware in order to block P2P applications. If you check out the PDF I linked above, you can find instructions for 5.0 – in fact, the PDF recipe is what the version here was based on.

          If you’re still having trouble, I would recommend getting in touch with Fortinet Support, to see if they can figure out why it isn’t working. You can find the contact info for your area at support.fortinet.com.