Application firewall
Application Firewall configuration data is contained in <firewall> </firewall>
XML tags.
The set of elements may be grouped into two:
- General options
- Profiles
Options that apply to the entire firewall activities.
Defines the applications and the actions to apply to them.
<forticlient_configuration>
<firewall>
<enabled>1</enabled>
<app_enabled>1</app_enabled>
<enable_exploit_signatures>0</enable_exploit_signatures>
<candc_enabled>1</candc_enabled>
<current_profile>0</current_profile>
<default_action>Pass</default_action>
<show_bubble_notifications>0</show_bubble_notifications>
<max_violations>250</max_violations>
<max_violations_age>7</max_violations_age>
<bypass_3rd_party_packets>0</bypass_3rd_party_packets>
<profiles>
<profile>
<id>1000</id>
<rules>
<rule>
<enabled>1</enabled>
<action>Block</action>
<compliance>1</compliance>
<application>
<id>34038,34039</id>
</application>
</rule>
<rule>
<action>Block</action>
<compliance>1</compliance>
<enabled>1</enabled>
<category>
<id>8</id>
</category>
</rule>
<rule>
<action>Pass</action>
<compliance>1</compliance>
<enabled>1</enabled>
<category>
<id>7,19,29</id>
</category>
</rule>
<rule>
<action>Block</action>
<compliance>0</compliance>
<enabled>1</enabled>
<category>
<id>1,2,3</id>
</category>
</rule>
<rule>
<action>Pass</action>
<compliance>0</compliance>
<enabled>1</enabled>
<category>
<id>All</id>
</category>
</rule>
<rule>
<action>Pass</action>
<compliance>0</compliance>
<enabled>1</enabled>
<application>
<id>0</id>
</application>
</rule>
</rules>
</profile>
</profiles>
</firewall>
</forticlient_configuration>
The following table provides the XML tags for Application Firewall, as well as the descriptions and default values where applicable.
XML tag |
Description |
Default value |
---|---|---|
<enabled> |
Enable or disable Application Firewall. This setting allows FortiClient 5.4 to be compatible with FortiGate 5.2. Boolean value: |
1 |
<app_enabled> |
Enable or disable Application Firewall. Boolean value: |
|
<enable_exploit_signatures> |
Enable or disable detection of evasive exploits. When set to Boolean value: |
0 |
<candc_enabled> |
Enable or disable detection of a connection to a botnet command and control server. Set to Boolean value: |
|
<current_profile> |
Currently selected profile ID. |
|
<default_action> |
Action to enforce on traffic that does not match any of the profiles defined. Select one of the following:
|
pass |
<show_bubble_notifications> |
Display a bubble message each time an application is blocked for matching a profile. Boolean value: |
|
<max_violations> |
Maximum number of violations stored at any one. A number from 250 to 5000 |
5000 |
<max_violation_age> |
Maximum age in days of a violation record before it is culled. A number from 1 to 90. |
90 |
<bypass_3rd_party_packets> |
If set to 1, Application Firewall bypasses packets generated by third party applications. If set to 0, Application Firewall does not bypass packets generated by third party applications. Boolean value: |
0 |
The <profiles>
tag may contain one or more <profile>
tags, each of which has a <rules>
element. The <rules>
element may, itself, have zero or more <rule>
tags.
The following filter elements may be used to define applications in a <rule>
tag:
<category>
<vendor>
<behavior>
<technology>
<protocol>
<application>
<popularity>
If the <application>
element is present, all other sibling elements (listed above) are ignored. If it is not, a given application must match all of the provided filters to trigger the rule.
Each of these seven elements is a container for the tag: <ids>
, which is a list of the identifiers (numbers) selected for that particular filter. The full <firewall>
profile listed at the beginning of this section shows several examples of the use of filters within the <rule>
element. Using an <ids>
value all selects all matching applications.
The following table provides profile element XML tags, the description, and the default value (where applicable).
XML Tag |
Description |
Default Value |
---|---|---|
<profile> element |
||
<id> |
Unique ID. A unique ID number. |
|
|
||
<action> |
Action to enforce on traffic that matches this rule. Select one of the following:
|
|
<compliance> |
Specifies whether the rule is a compliance rule or a regular rule. When set to Boolean value: |
|
<enabled> |
Enable or disable this rule. Boolean value: |
1 |
<category> |
Categories of the applications to apply |
csv list |
<vendor> |
Vendors of the applications to apply |
csv list |
<behavior> |
Behavior of the applications to apply |
csv list |
<technology> |
Technologies used by the applications to apply |
csv list |
<protocol> |
Protocols used by the applications to apply |
csv list |
<application> |
Identifiers (IDs) of the applications to apply |
csv list |
<popularity> |
Popularity of the applications to apply |
csv list |
Rule example
In the following example, the first rule is used for compliance. The second rule is a regular rule and not used for compliance.
<rules>
<rule>
<enabled>1</enabled>
<action>block | warn | monitor</action>
<compliance>1</compliance>
<filter>
<application>
<ids>36373</ids>
</application>
</filter>
</rule>
<rule>
<enabled>1</enabled>
<action>block | warn | monitor</action>
<filter>
<category>
<ids>1</ids>
</category>
</filter>
</rule>
</rules>