08-Application Control
Based on the applications, groups, and application categories applied to the policy, FortiOS will apply the firewall action to the application traffic. Which two actions are available to be configured?
Accept Deny
What actions for each filter in the Application Control Profile, must you indicate — when FortiGate matches traffic matches (HINT - there are 4)
Allow Monitor Block Quarantine
Application Control Profile allow you to use three different types of filters, what is the filter is described below? Provides the flexibility to control specific signatures and applications.
Application Overrides
The IPS engine examines the traffic stream for a signature match. Then, FortiGate scans packets for matches for the application control profile. If all three options, listed below, are configured then list the correct order of how a packet is scanned. Filter Overrides Categories Application Overrides
Application Overrides Filter Overrides Categories
Blocking QUIC forces Google Chrome to use HTTP2/TLS1.2 and FortiGate to log the QUIC as blocked. The default action for QUIC is _____.
Block
Application Control Profile allow you to use three different types of filters, what is the filter is described below? Groups applications based on similarity. For example, all applications that are capable of providing remote access are grouped in the Remote Access category. You can view the signatures of all applications in a category or apply an action to a category as a whole.
Categories
Application Control Profile allow you to use three different types of filters, what are they?
Categories Application Overrides Filter Overrides
If you are experiencing issues with a FortiGuard application control update, start troubleshooting the issue with the most basic steps: • Make sure that FortiGate has a stable connection to the Internet or FortiManager (if FortiGate is configured to receive updates from a FortiManager). • If the Internet connection is stable, check ___ resolution on FortiGate. • If FortiGate is installed behind a network firewall, make sure that port 443 is being correctly forwarded to FortiGate.
DNS
Should you select Deep-Inspection or Certificate-based inspection for the SSL/SSH inspection mode to ensure content inspection is performed on encryption protocols)?
Deep-Inspection
When the ____ action is selected on a firewall policy, the Log Violations option must be enabled to generate application control events for blocked traffic.
Deny
Application Control Profile allow you to use three different types of filters, what is the filter is described below? Useful when a predefined category does not meet your requirements and you want to block all applications based on criteria that is not available in categories. You can configure the categorization of applications based on behaviour, popularity, protocol, risk, vendor, or the technology used by the applications, and take action based on that.
Filter Overrides
Application Control is now a free __________ service and the database for Application Control Signatures is separate from the IPS database.
FortiGuard
For ____-based applications, Application Control can provide feedback to the user about why their application was blocked. This is called a block page, and it is similar to the one you can configure for URLs that you block using FortiGuard web filtering.
HTTP
Examine the details of how throttling works. Not all URL requests to www.youtube.com are for video. Your browser makes several _____ requests for: • The web page itself • Images • Scripts and style sheets • Video
HTTPS
It is also worth mentioning that, if deep inspection is enabled in the firewall policy, all _____-based applications will provide this block page.
HTTPS
Application Control uses an ___ engine to analyze network traffic and detect application traffic, even if the application is using standard or non-standard protocols and ports.
IPS
Which Application Control Profile action should be used to assess Applications (Allow, Monitor, Block, or Quarantine)?
Monitor
With traditional downloads from a server to a client there is one client, server, known port number — which can be easily blocked by a firewall, ___ applications do not use these protocols/methods.
P2P
NGFW Policy-Based mode also requires the use of central ____, instead of NAT settings applied within the firewall policy.
SNAT
It is important to note that all firewall policies in an NGFW Policy-Based mode VDOM or FortiGate must use the same ___/___ inspection profile.
SSL/SSH
There are two types of shapers that can be configured from the Traffic Shaping Policy page, and you can apply them in the traffic shaping policy, what are the two shapers?
Shared Shaper Per-IP Shaper
(True/False) Information available in the Application Control Log & Report are: log source destination Application action
True
After an Application Control Profile is configured should it be applied to a Firewall Policy with SSL/SSH Inspection selected (True/False)?
True
Application Control Signature Hierarchical Structure Examples: 1. Social Media A. Facebook a. Facebook_Chat b. Facebook_Apps B. LinkedIn b. LinkedIn_Message 2. Audio/Video A. YouTube a. YouTube_Video_Play Does this give you the ability to inspect traffic for Applications with more granularity (True/False)?
True
Application Control doesn't operate using built-in protocol states. Does it match patterns in the entire byte stream of the packet, and then look for patterns (True/False)?
True
Are all Application Control events are logged on the Application Control pane on the Log & Report page (True/False)?
True
Can Application Control be configured in proxy-based and flow-based virtual domains (True/False).
True
Can you create a new firewall policy or edit an existing firewall policy (True/False).
True
Can you limit the bandwidth of an application category or specific application by configuring a traffic shaping policy (True/False)?
True
Can you see a complete list of applications support by FortiGuard at http://fortiguard.com, as well as request a signature for a new application on this site (True/False)?
True
Does Application Control allow you to block, allow, monitor, or traffic shape applications like Facebook, Gmail, and P2P/Proxy (True/False)?
True
Does the Replacement Messages for HTTP-based Applications setting allow you to replace blocked content with an explanation (for the user's benefit) (True/False)? NOTE: However, for non-HTTP/HTTPS applications, you can only drop the packets or reset the TCP connection.
True
Identifying traffic as unknown can cause frequent log entries. So, does frequent log entries decrease performance (True/False)?
True
If you configure the URL Category within the same firewall policy, and add a URL Filter this will cause Application Control to scan applications in only the browser-based technology category (True/False)?
True
In a P2P download there is one client, multiple servers, dynamic port numbers, dynamic encryption, making this hard to block for traditional firewalls that do not have sophisticated scanning (True/False)?
True
In addition to applying a URL Category filter, you can also apply AntiVirus, DNS Filter, and IPS security profiles to Application traffic that is allowed to pass through (True/False).
True
Is it extremely important to arrange firewall policies so that the more specific policies are located at the top to ensure proper use of Application Control (True/False)? Note: The SSH/SSL Inspection section is grayed out if it is selected at a VDOM level when NGFW policy-based mode is enabled.
True
Is it required to have Application Control Profiles applied to a firewall policy (True/False).
True
Is it true that not all traffic requires an application control scan, and to not apply application control on internal-only traffic (True/False)?
True
NAT is applied on the traffic based on criteria defined in the Central SNAT policy So, should you have a matching Central SNAT policy in NGFW policy-based mode to be able to pass traffic (True/False)?
True
NGFW policy matching works using top to bottom approach. You must have a specific policy above a more broad/open policy. For example, if you want to block Facebook but allow the Social.Media category, should you place the policy blocking Facebook traffic above the policy allowing the Social.Media category (True/False)?
True
On the FortiView menu, the Applications page provides details about each application, such as the application name, category, and bandwidth. Does this require disk logging (True/False)?
True
Regardless of which inspection mode is used on the VDOM or FortiGate, it is important to note that the Application Control Profile uses flow-based scanning techniques (True/False)?
True
Should you Create identical firewall policies for all redundant Internet connections to ensure that the same inspection is performed on failover traffic (True/False)?
True
Should you check the FortiGuard website for the latest version of the application control database (True/False)?
True
Should you use a FortiCloud account to save and view application control logs in FortiView on FortiGate devices that do not have a log disk (True/False)?
True
Some FortiGate models that feature specialized chips such as network processors and content processors can offload and accelerate application signature matching for enhanced performance (True/False)?
True
The way P2P applications were designed, they have protocols that they use which are port randomization, pinholes, and changing encryption patterns (True/False)?
True
When Application Control scans secure protocols, does it require SSL/SSH inspection profile on the same policy (True/False)?
True
When FortiGate is operating in NGFW policy-based mode, can administrators apply application control to a firewall policy directly, instead of having to create an application control profile first and then apply that to a firewall policy (True/False). NOTE - Requires Central SNAT
True
When using application control, can you rate limit videos to prevents users from saturating your network bandwidth while still allowing them to access the other content on the site, such as for comments or sharing links (True/False)?
True
Do you have to ensure that the matching criteria aligns with the firewall policy or policies to which you want to apply shaping (True/False)?
True NOTE: It does not have to match outright. For example, if the source in the firewall policy is set to all (0.0.0.0/0.0.0.0), the source in the traffic shaping policy can be set to any source that is included in all, for example, LOCAL_SUBNET (10.0.1.0/24).
Regardless of which operation mode application control is configured in, should logging be enabled on the firewall policy in order to log events (True/False)?
True When you enable the logging of security events or all session on a firewall policy, application control events will also be logged.
Applying traffic shaping to applications is very useful when you're trying to limit traffic that uses the same TCP or ___ port numbers as mission-critical applications. Some high-traffic web sites, such as YouTube, can be throttled in this way.
UDP
FortiOS uses a three-step process to perform NGFW Policy-Based Application Filtering. Here is a brief overview of what happens at each step: In step 3, the FortiOS kernel performs a firewall policy lookup again, to see if the identified application id is listed in any of the existing firewall policies. This time the kernel uses both layer 4 and layer 7 information for policy matching. After the criteria matches a firewall policy rule, the FortiOS kernel applies the ______ configured on the firewall policy to the application traffic.
action
Which action should you choose for Proflile-Based Applications, in order to further enhance network security by enabling AV scanning, DNS filtering, and IPS control (Allow/Block)? NOTE: You can also enable the logging of Security Events or All Sessions to ensure that all application control events are logged.
allow
What does an Application Control block page contain? Category Website host and url Source and destination IP User name and group (if ______________ is enabled) Policy UUID FortiGate host name
authentication
If a game site is allowed on Application Override and blocked on Filter Override will the site be blocked or allowed?
blocked Filter Override occurs after Application Override NOTE: Web Filter could still block the site, if Filter Override or Categories allowed site — due to Web Filter happening after Application Filter scan.
At the top of the Application Control profile page, you will see a summary of how many cloud applications require ____ inspection.
deep
FortiOS uses a three-step process to perform NGFW Policy-Based Application Filtering. Here is a brief overview of what happens at each step: In step 1, FortiOS will allow all traffic while forwarding packets to IPS engine for inspection and identification of the traffic. At the same time, FortiOS will create an entry in the session table for the traffic to pass and it adds a may_dirty ____ to it.
flag
Because Application Control uses the IPS engine, which uses ____-based inspection, inspection is always ____-based.
flow
FortiOS uses a three-step process to perform NGFW Policy-Based Application Filtering. Here is a brief overview of what happens at each step: In step 2, as soon as the IPS engine identifies the application, it updates the session entry with the following information dirty flag, valid_app flag and an application __.
id
If your locally installed database is out of date, try forcing FortiGate to check for the latest updates by running the 'execute update-___' command.
now
Flow-based inspection using the IPS engine can analyze packets for _______ matching and then look for patterns to detect P2P applications.
pattern
In NGFW Policy-Based mode you can select one or more Applications, Application Groups, and Application Categories on a firewall ______ in the Application section.
policy
In order to allow granular control, FortiGate applies the Application Control Profile settings to only traffic governed by the firewall ______ in which you've selected the Application Control Profile.
policy
Cloud applications that use SSL encryption cannot be scanned without a deep inspection _______. NOTE: FortiGate will need to decrypt the traffic in order to perform inspection and control application traffic.
profile
In order to configure Application Control, administrators must create an Application Control Profile and apply that profile to a firewall policy. This is capable when FortiGate or a VDOM is operating in flow-based (NGFW mode set to _______-based) inspection mode or proxy-based inspection mode.
profile
The Unknown Applications setting matches traffic that can't be matched to any application control signature and identifies the traffic as unknown application in the logs. Factors that contribute to traffic being identified as unknown application include: • How many rare applications your users are using • Which ___ database version you are using
rare IPS
When configuring Application Control Profiles — if you need to enable Allow and Log DNS Traffic, you should enable it only for short or long periods during an investigation (True/False)?
short Depending on the application and how often it queries DNS servers, enabling this setting can use significant system resources.