Need Little Help with Creating Custom Application Signature

aboodnet · ‎05-06-2019

Dears,

There is a mobile application called Shahid. It is a streaming application just like Netflix. Our FG-101E classify it as "HTTPS.BROWSER" (Application Name). We need to change that so it has proper application name called "shahid". So, we are trying to create a custom application signature to identify this specific application but we were unable to succeed using the below syntax.

F-SBID( --name shahid; --app_cat 5; --pattern *akamai* --pattern *shahid*; service http service https; --context host --protocol tcp; --flow bi_direction; --technology 0; --vendor 0; --risk 5; --pop 0; --no_case;)

Please find the image below for log details about the traffic we are trying to match.

Is there something wrong with our syntax? Thanks,

Dave_Hall · ‎05-07-2019

According to that log entry, it looks like the connection is encrypted, so Full SSL Inspection is likely needed to have the fgt decrypted the traffic in order to scan it. Alternately, if you employ SSL Certificate Inspection then you could use URL filter and set up a block for "*.mbc.net", which is listed for host on the security certificate.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

aboodnet · ‎05-07-2019

Dear Dave,

Thanks for your response. First we need to identify the traffic as "shahid" before taking any further actions such as blocking it or traffic shape it for example.

How do we apply Full SSL Inspection for that particular traffic?

Regards,