Componentes de un Sistema Experto

Once you have created an application sensor, you need to need to define the applications that you want to control.

You can add applications using application entries and application filters. Entries allow you to choose individual applications. Filters allow you to choose application attributes and all the applications with matching attributes are included in the filter.

The sequence of the entries in the table is significant. The entries are checked against the traffic in sequence, from top to bottom. If a match is found and the action is Block or Reset, the action is performed and further checking is stopped. If the action is Monitor the traffic is checked against all of the signatures in the sensor and the best match to the signature is the one that is logged.

To add an application entry to an application sensor

1. Go to Security Profiles > Application Control > Application Sensors.

2. Select an application sensor from the drop-down list in the Edit Application Sensor window title bar.

3. Select the Create New icon in the sensor area and this will bring up a new window entitled

New Application Filter.

4. Choose the format of the filter. There are two types of entries that can be added to a sensor. The type of entry is detemined by the selection of the sensor type. The choices are either

Filter Based or Specify Applications. • Filter Based

This option is for choosing groups of similar applications based on the filters of Category, Popularity, Technology and Risk. Once the parameters of the 4 filter types have been chosen every application that falls in to that filtered list will be included in the list that the Application Control engine will use to filter the network traffic.

• Specify Applications

This option is good for a more granular approach to picking appliction to be filtered. It will allow for the use of the same filters that were used in the Filter Based option to develop a list of applications to be filtered but the Specify Applications option can be selective of which applications in that list are actually filtered. They are selected individually.

The difference in the Web-based Manager, when alternating between the Sensor Types, is that when the Filter Based option is chosen the Filter Options section will appear by default. If the Specify Applications sensor type is chosen you can click on the [Filter Options] link to make it appear and use it to narrow down the list of possible applications but it does not show up by default. The other difference is that with the Specify Applications option you are

given an additional field at the top of the Application List that allow you to type out the name of an application to search for it in that manner.

To use the search field, located above the application list, start typing any portion of the application name. The mail list of application will adjust accordingly.

5. Narrow down the list of applications to be filtered. This will depend a little on which Sensor Type was chosen. If the Filter Based option was chosen, by default, the top section of the window will show the properties by which the list of application filters can be filtered into a more managable list. These properties are broken into 4 sections representing the properties of Category, Popularity, Technology and Risk. Between the property filter section and the Action section of the window there is a listing of the individual application filters that have been configured into the appliance.

Each of these individual application filters is assigned values in each of the 4 properties. The values that can be assigned to these properties are listed in the 4 sections. By enabling the check boxes next to the propterties in the sections the list can be narrowed down until it only includes the subset of the individual application filters that you wish to make up the sensor entry or Application Filter.

When choosing a property, if the specific value is unknown do not disable the property section as this will cause the list of individual application filters to be empty.

The properties have been broken down into the following sections:

a. Category

These are the types of application that are available to filter by:

Table 10:Property Values listed in Category section along with ID#

Category Name Category ID#

Botnet 19 eMail 21 File.Sharing 24 Game 8 General.Interest 12 IM 1 Media 5 Network.Service 15 P2P 2 Proxy 6 Remote.Access 7 Social.Networking 23 Storage.Backup 22 Update 17 VoIP 3 Web.Surfing 25

there is also a category designation reserved for future use.

These categories should cover the bulk of application based network traffic. If you wanted to disallow the use of Peer to Peer (P2P) applications because you didn’t want your users tieing up your bandwidth with torrent downloads you would select the P2P category and set the Action to Block

b. Popularity

Popularity is broken down into 5 levels of popularity represented by stars. 5 stars representing the most popular applications and 1 star representing applications that are the least popular. The Popularity property works well when trying to narrow down the list of one of the categories. Using the previous category example of P2P traffic but you wanted to monitor the activity of the most popular applications, which numbers about 30 as opposed to over 100, you would choose P2P from Category and the 5 star popularity.

c. Technology

Technology is broken down into 3 technology models as well as the more basic

Network-Protocol which would can be used as a catch all for anything not covered by the more narrowly defined technologies of:

• Browser-Based • Client-Server • Peer -to-Peer

d. Risk

The Risk property does not indicate the level of risk but the type of impact that is likely to occur by allowing the traffic from that application to occur. The Risk list is broken down into the following

• Botnet

• Excessive-Bandwidth • None

6. Pick the individual applications if using the Specify Applications Sensor type.

From the list of possible applications highlight the application by selecting the application.If you choose an application in error you can unhighlight or desellect the application by clicking on it again.

If the Filter Based sensor type is being used this will not be an option.

7. Select the Action the FortiGate unit will take when it detects network traffic from the application:

• Monitor allows the application traffic to flow normally and log all occurrences.

If you set the action to Monitor, you have the option of enabling traffic shaping for the application or applications specified in this application list entry. For more information about application control traffic shaping, see “Enabling application traffic shaping” on page

152

• Block will stop all traffic from the application and log all occurrences.

• Reset will reset the network connection on the session that the specified application traffic was detected on.

• Traffic Shaping will allow a Traffic Shaping profile to be applied to the applicatin traffic that triggered the sensor.

Choosing the Traffic shaping action will cause to appear the secondary options of: • Forward Direction Traffic Shaping with a checkbox

• Reverse Direction Traffic Shaping with a checkbox

If the checkbox is enable for these options a dropdown menu will appear next to that option that will allow you to choose one of the existing Traffic Shaping profiles. If you are

going to want to use Traffic Shaping as an action in Application Control it is best to set up any of the Traffic Shaping profiles that you will want in advance.