Fortinet black logo

Handbook

Allowing software updates

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:251524
Download PDF

Allowing software updates

Some departments at Example Corporation do not require access to the Internet to perform their duties. Management therefore decided to block their Internet access. Software updates quickly became an issue because automatic updates will not function without Internet access and manual application of updates is time-consuming.

The solution is configuring application control to allow only automatic software updates to access the Internet.

The configuration steps outlined below are for FortiGate's operating in proxy-based inspection and flow-based inspection with profile-based NGFW modes.

To create an application sensor — GUI
  1. Go to Security Profiles > Application Control.
  2. Select the Create New icon in the title bar of the Edit Application Sensor window.
  3. In the Name field, enter Updates_Only as the application sensor name.
  4. Using the left-click and drop down on the items in the Category list.
  5. Select Monitor from the dropdown menu.
  6. Select Block for the rest of the categories.
  7. Select OK.
To create an application sensor — CLI

config application list

edit Updates_Only

config entries

edit 1

set category 17

set action pass

end

set other-application-action block

set unknown-application-action block

end

caution icon

You will notice that there are some differences in the naming convention between the GUI and the CLI. For instance the Action in the CLI is “pass” and the Action in the GUI is “Monitor”.

Selecting the application sensor in a security policy

An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the application sensor in a security policy — GUI
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select a policy.
  3. Select the Edit icon.
  4. Under the heading Security Profiles toggle the button next to Application Control to turn it on.
  5. In the drop down menu field next to the Application Control select the Updates_only list.
  6. Select OK.
To select the application sensor in a security policy — CLI

config firewall policy

edit 1

set utm-status enable

set profile-protocol-options default

set application-list Updates_Only

end

Traffic handled by the security policy you modified will be scanned for application traffic. Software updates are permitted and all other application traffic is blocked.

Allowing software updates

Some departments at Example Corporation do not require access to the Internet to perform their duties. Management therefore decided to block their Internet access. Software updates quickly became an issue because automatic updates will not function without Internet access and manual application of updates is time-consuming.

The solution is configuring application control to allow only automatic software updates to access the Internet.

The configuration steps outlined below are for FortiGate's operating in proxy-based inspection and flow-based inspection with profile-based NGFW modes.

To create an application sensor — GUI
  1. Go to Security Profiles > Application Control.
  2. Select the Create New icon in the title bar of the Edit Application Sensor window.
  3. In the Name field, enter Updates_Only as the application sensor name.
  4. Using the left-click and drop down on the items in the Category list.
  5. Select Monitor from the dropdown menu.
  6. Select Block for the rest of the categories.
  7. Select OK.
To create an application sensor — CLI

config application list

edit Updates_Only

config entries

edit 1

set category 17

set action pass

end

set other-application-action block

set unknown-application-action block

end

caution icon

You will notice that there are some differences in the naming convention between the GUI and the CLI. For instance the Action in the CLI is “pass” and the Action in the GUI is “Monitor”.

Selecting the application sensor in a security policy

An application sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an application sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the application sensor in a security policy — GUI
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select a policy.
  3. Select the Edit icon.
  4. Under the heading Security Profiles toggle the button next to Application Control to turn it on.
  5. In the drop down menu field next to the Application Control select the Updates_only list.
  6. Select OK.
To select the application sensor in a security policy — CLI

config firewall policy

edit 1

set utm-status enable

set profile-protocol-options default

set application-list Updates_Only

end

Traffic handled by the security policy you modified will be scanned for application traffic. Software updates are permitted and all other application traffic is blocked.