Fortinet black logo

Application firewall

Application firewall

The <firewall> </firewall> XML tags contain application firewall configuration data. The set of elements consists of two sections:

Section

Description

General options

Options that apply to all application firewall activities.

Profiles

Defines applications and the actions to apply to them.

<forticlient_configuration>

<firewall>

<enabled>1</enabled>

<app_enabled>1</app_enabled>

<enable_exploit_signatures>0</enable_exploit_signatures>

<candc_enabled>1</candc_enabled>

<current_profile>0</current_profile>

<default_action>Pass</default_action>

<show_bubble_notifications>0</show_bubble_notifications>

<max_violations>250</max_violations>

<max_violations_age>7</max_violations_age>

<bypass_3rd_party_packets>0</bypass_3rd_party_packets>

<profiles>

<profile>

<id>1000</id>

<rules>

<rule>

<enabled>1</enabled>

<action>Block</action>

<compliance>1</compliance>

<application>

<id>34038,34039</id>

</application>

</rule>

<rule>

<action>Block</action>

<compliance>1</compliance>

<enabled>1</enabled>

<category>

<id>8</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>1</compliance>

<enabled>1</enabled>

<category>

<id>7,19,29</id>

</category>

</rule>

<rule>

<action>Block</action>

<compliance>0</compliance>

<enabled>1</enabled>

<category>

<id>1,2,3</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>0</compliance>

<enabled>1</enabled>

<category>

<id>All</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>0</compliance>

<enabled>1</enabled>

<application>

<id>0</id>

</application>

</rule>

</rules>

</profile>

</profiles>

</firewall>

</forticlient_configuration>

The following table provides the XML tags for application firewall, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable application firewall.

Boolean value: [0 | 1]

1

<app_enabled>

Enable application firewall.

Boolean value: [0 | 1]

<enable_exploit_signatures>

Enable detection of evasive exploits.

Boolean value: [0 | 1]

0

<candc_enabled>

Enable detection of a connection to a botnet command and control server.

Boolean value: [0 | 1]

<current_profile>

Currently selected profile ID.

<default_action>

Action to enforce on traffic that does not match any of the profiles defined. Enter one of the following:

  • block
  • reset
  • pass

pass

<show_bubble_notifications>

Display a bubble message each time FortiClient blocks an application for matching a profile.

Boolean value: [0 | 1]

<max_violations>

Maximum number of violations stored at any one time.

A number from 250 to 5000

5000

<max_violation_age>

Maximum age in days of a violation record before it is culled.

A number from 1 to 90.

90

<bypass_3rd_party_packets>

Enable bypassing packets that third party applications generate.

Boolean value: [0 | 1]

0

The <profiles> tag may contain one or more <profile> tags, each of which has a <rules> element. The <rules> element may, itself, have zero or more <rule> tags.

The following filter elements may be used to define applications in a <rule> tag:

<category>

<vendor>

<behavior>

<technology>

<protocol>

<application>

<popularity>

If the <application> element is present, all other sibling elements (listed above) are ignored. If it is not, a given application must match all of the provided filters to trigger the rule.

Each of these seven elements is a container for the tag: <ids>, which is a list of the identifiers (numbers) selected for that particular filter. The full <firewall> profile listed at the beginning of this section shows several examples of the use of filters within the <rule> element. Using an <ids> value all selects all matching applications.

The following table provides profile element XML tags, the description, and the default value (where applicable).

XML tag

Description

Default value

<profile> element

<id>

Unique ID. A unique ID number.

<profile><rules><rule> elements

<action>

Action to enforce on traffic that matches this rule. Select one of the following:

  • block
  • reset
  • pass

<compliance>

Specifies whether the rule is a compliance or regular rule. When set to 1, this is a compliance rule. When set to 0 or the tag does not exist, this is a FortiClient profile rule. For more information, see the FortiClient Administration Guide.

Boolean value: [0 | 1]

<enabled>

Enable this rule.

Boolean value: [0 | 1]

1

<category>

Application categories to apply <action> on.

csv list

<vendor>

Application vendors to apply <action> on.

csv list

<behavior>

Application behavior to apply <action> on.

csv list

<technology>

Technologies used by the applications to apply <action> on.

csv list

<protocol>

Protocols used by the applications to apply <action> on.

csv list

<application>

Identifiers (IDs) of the applications to apply <action> on.

csv list

<popularity>

Popularity of the applications to apply <action> on.

csv list

Rule example

In the following example, FortiClient uses the first rule and the second rule as a FortiClient profile rule:

<rules>

<rule>

<enabled>1</enabled>

<action>block | warn | monitor</action>

<compliance>1</compliance>

<filter>

<application>

<ids>36373</ids>

</application>

</filter>

</rule>

<rule>

<enabled>1</enabled>

<action>block | warn | monitor</action>

<filter>

<category>

<ids>1</ids>

</category>

</filter>

</rule>

</rules>

Application firewall

The <firewall> </firewall> XML tags contain application firewall configuration data. The set of elements consists of two sections:

Section

Description

General options

Options that apply to all application firewall activities.

Profiles

Defines applications and the actions to apply to them.

<forticlient_configuration>

<firewall>

<enabled>1</enabled>

<app_enabled>1</app_enabled>

<enable_exploit_signatures>0</enable_exploit_signatures>

<candc_enabled>1</candc_enabled>

<current_profile>0</current_profile>

<default_action>Pass</default_action>

<show_bubble_notifications>0</show_bubble_notifications>

<max_violations>250</max_violations>

<max_violations_age>7</max_violations_age>

<bypass_3rd_party_packets>0</bypass_3rd_party_packets>

<profiles>

<profile>

<id>1000</id>

<rules>

<rule>

<enabled>1</enabled>

<action>Block</action>

<compliance>1</compliance>

<application>

<id>34038,34039</id>

</application>

</rule>

<rule>

<action>Block</action>

<compliance>1</compliance>

<enabled>1</enabled>

<category>

<id>8</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>1</compliance>

<enabled>1</enabled>

<category>

<id>7,19,29</id>

</category>

</rule>

<rule>

<action>Block</action>

<compliance>0</compliance>

<enabled>1</enabled>

<category>

<id>1,2,3</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>0</compliance>

<enabled>1</enabled>

<category>

<id>All</id>

</category>

</rule>

<rule>

<action>Pass</action>

<compliance>0</compliance>

<enabled>1</enabled>

<application>

<id>0</id>

</application>

</rule>

</rules>

</profile>

</profiles>

</firewall>

</forticlient_configuration>

The following table provides the XML tags for application firewall, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable application firewall.

Boolean value: [0 | 1]

1

<app_enabled>

Enable application firewall.

Boolean value: [0 | 1]

<enable_exploit_signatures>

Enable detection of evasive exploits.

Boolean value: [0 | 1]

0

<candc_enabled>

Enable detection of a connection to a botnet command and control server.

Boolean value: [0 | 1]

<current_profile>

Currently selected profile ID.

<default_action>

Action to enforce on traffic that does not match any of the profiles defined. Enter one of the following:

  • block
  • reset
  • pass

pass

<show_bubble_notifications>

Display a bubble message each time FortiClient blocks an application for matching a profile.

Boolean value: [0 | 1]

<max_violations>

Maximum number of violations stored at any one time.

A number from 250 to 5000

5000

<max_violation_age>

Maximum age in days of a violation record before it is culled.

A number from 1 to 90.

90

<bypass_3rd_party_packets>

Enable bypassing packets that third party applications generate.

Boolean value: [0 | 1]

0

The <profiles> tag may contain one or more <profile> tags, each of which has a <rules> element. The <rules> element may, itself, have zero or more <rule> tags.

The following filter elements may be used to define applications in a <rule> tag:

<category>

<vendor>

<behavior>

<technology>

<protocol>

<application>

<popularity>

If the <application> element is present, all other sibling elements (listed above) are ignored. If it is not, a given application must match all of the provided filters to trigger the rule.

Each of these seven elements is a container for the tag: <ids>, which is a list of the identifiers (numbers) selected for that particular filter. The full <firewall> profile listed at the beginning of this section shows several examples of the use of filters within the <rule> element. Using an <ids> value all selects all matching applications.

The following table provides profile element XML tags, the description, and the default value (where applicable).

XML tag

Description

Default value

<profile> element

<id>

Unique ID. A unique ID number.

<profile><rules><rule> elements

<action>

Action to enforce on traffic that matches this rule. Select one of the following:

  • block
  • reset
  • pass

<compliance>

Specifies whether the rule is a compliance or regular rule. When set to 1, this is a compliance rule. When set to 0 or the tag does not exist, this is a FortiClient profile rule. For more information, see the FortiClient Administration Guide.

Boolean value: [0 | 1]

<enabled>

Enable this rule.

Boolean value: [0 | 1]

1

<category>

Application categories to apply <action> on.

csv list

<vendor>

Application vendors to apply <action> on.

csv list

<behavior>

Application behavior to apply <action> on.

csv list

<technology>

Technologies used by the applications to apply <action> on.

csv list

<protocol>

Protocols used by the applications to apply <action> on.

csv list

<application>

Identifiers (IDs) of the applications to apply <action> on.

csv list

<popularity>

Popularity of the applications to apply <action> on.

csv list

Rule example

In the following example, FortiClient uses the first rule and the second rule as a FortiClient profile rule:

<rules>

<rule>

<enabled>1</enabled>

<action>block | warn | monitor</action>

<compliance>1</compliance>

<filter>

<application>

<ids>36373</ids>

</application>

</filter>

</rule>

<rule>

<enabled>1</enabled>

<action>block | warn | monitor</action>

<filter>

<category>

<ids>1</ids>

</category>

</filter>

</rule>

</rules>