Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RBotha
New Contributor

"Failed to save changes" error message when trying to add New Application Signature

Good Afternoon,

I've been trying to add a new application signature for the last day with no luck! Everytime I add  F-SBID (--name "electra.connection"; --protocol tcp; --service HTTP; --dst_port 5817; )

our Fortigate E61 just returns an error saying "Failed to save changes" and nothing else.

 

Our Application Control's Unknown Applications category is blocking [Active] is blocking a certain app. I don't want to enable that entire category just for the sake of this one application. I want to create the above application signature, and set it as an application signature override in the Application Control options.

 

Kindly advise if I'm going the wrong way about this or if you've encountered the same problem somewhere and how to fix it.

Thanks

6 REPLIES 6
João_Falcão
New Contributor

Good afternoon,

I'm also having the same problem. FortiOS version v5.6.4 build1575 (GA)

 

Thanks

RBotha

jfalcao wrote:

Good afternoon,

I'm also having the same problem. FortiOS version v5.6.4 build1575 (GA) 

Thanks

There is a new firmware update available. Check your device and push that. I'm updating ours tonight. I'll revert if I have any news.

João_Falcão

The problem is syntax error. I was able to create, after a lot of work:

F-SBID (--name "TEST"; --protocol tcp; --app_cat 7; - dst_addr xxx.xxx.xxx.xxx; --dst_port 3390; --flow from_client;)

I want to allow RDP application to a specific site (xxx.xxx.xxx.xxx) on port 3390. But, the above signature still does not allow me the desired matching. If anyone can help ...

ede_pfau
Esteemed Contributor III

config application custom
    edit "elektra"
        set comment ''
        set signature "F-SBID( --attack_id 1511; --name \"electra.connection\"; --protocol tcp; --service HTTP; --dst_port 5817; --app_cat 15; )"
        set category 15
        set technology Network-Protocol
    next

This worked for me. Is it a '5.6' thing, or version independent? My FGT is running v5.4.9.

'category' was mandatory.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
hmtay_FTNT

Hello Joao, Rikus,

 

Ede is right, --app_cat is mandatory for Application Control signature. 

 

Joao, try adding --weight 20; to your signature. The Application Control signatures use that syntax to determine which one to trigger if multiple signatures trigger on a packet.

 

Homing

João_Falcão

Hi HoMing,

 

Thank you very much for this tip. We still can not get the RDP to be allowed. We realize that it detects and releases the signature and soon after it blocks by the standard RDP protocol.

 

See below:

 

F-SBID( --attack_id 1934; --name "RDP.ALLOW"; --protocol 6; --flow from_client; --dst_addr 187.xx.xx.162; --dst_port 3390; --app_cat 7; --weight 30;)

 

 

itime=2018-05-29 08:54:19 vd=root rcvdbyte=0 srccountry=Reserved craction=262144 app=RDP.ALLOW transip=187.xx.xx.196 dtime=2018-05-29 08:54:18 date=2018-05-29 devtype=Windows PC dstip=187.xx.xx.162 crscore=5 srcintfrole=lan duration=19 sentbyte=48 transport=59236 logid=0000000013 crlevel=low srcmac=00:21:f6:c3:xx:xx service=RDP proto=6 devid=FG200Dxxxxxx itime_t=1527594859 policytype=policy applist=default poluuid=9a2d4952-7b83-51e7-da6c-xx idseq=252045376473792512 dstport=3390 type=traffic unauthusersource=forticlient eventtime=1527594858 devname=TEST_FG200D dstintfrole=wan policyid=5 trandisp=snat osname=Windows sessionid=32351634 unauthuser=teste dstintf=vsw.wan2 srcintf=lan srcip=172.28.55.181 sentpkt=1 osversion=7 Service Pack 1 level=notice appcat=Remote.Access appid=1934 srcport=59236 srcserver=0 srcname=GPOW7 subtype=forward rcvdpkt=0 dstcountry=Brazil time=08:54:18 action=timeout mastersrcmac=00:21:f6:c3:xx:xx user=TESTE

 

 

itime=2018-05-29 08:54:27 vd=root app=RDP direction=outgoing dtime=2018-05-29 08:54:27 date=2018-05-29 dstip=187.xx.xx.162 srcintfrole=lan dstintfrole=wan apprisk=high service=RDP proto=6 eventtype=app-ctrl-all devid=FG200Dxxxxxx applist=default msg=Remote.Access: RDP, idseq=252045376473792512 dstport=3390 type=utm unauthusersource=forticlient eventtime=1527594867 incidentserialno=1659113346 itime_t=1527594867 policyid=5 time=08:54:27 sessionid=32352650 unauthuser=teste user=TESTE srcintf=lan srcip=172.28.55.181 level=warning appcat=Remote.Access srcport=59238 logid=1059028705 subtype=app-ctrl devname=TEST_FG200D appid=15511 action=block fctuid=3F7F32D5654746BEAF340E2B52058BE0 dstintf=vsw.wan2

Labels
Top Kudoed Authors