Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jesse_fletcher
New Contributor

Spotify block through override not taking effect

I'm having an odd issue with Application Control (Blocking Spotify) on an outgoing client policy on 6.2. Wondering if anyone would have any insight to what I may be missing?

The application control profile has Spotify added as an override with Block as the action. When I check the logs and filter Spotify it appears with pass as the action.

I've confirmed through these records that it is the correct policy which has the profile with the override in it that is being applied to that traffic.

Is there anything else in the app control profile that needs to be done other than adding the override block in order for that to work?

 

Screenshots linked below. Thanks.

 

https://www.dropbox.com/s/nomrodlithgsvnf/spotify1.PNG?dl=0

https://www.dropbox.com/s/1mlqf5g15kddmgi/spotify2.PNG?dl=0

https://www.dropbox.com/s/d0s0arkt5e4qeod/spotify3.PNG?dl=0

https://www.dropbox.com/s/hjgz9ml98ipzerb/spotify4.PNG?dl=0

16 REPLIES 16
hubertzw
Contributor III

Can you see in the logs the correct profile name (Application Control)?

jesse_fletcher

It appears that the Application Control Sensor appearing under the log details is "default" which doesn't match the "default-block-spotify" profile which has been created. Any reason why this profile would be showing even though the other is assigned to the policy which the traffic is passing through? The correct policy #27 is showing in the log detials which has the "default-block-spotify" profile attached. Screenshots below.

 

https://www.dropbox.com/s/uqsgy5q12kwkl0p/spotify5.PNG?dl=0

https://www.dropbox.com/s/v7g4q3h27o5yjxq/spotify6.PNG?dl=0

 

 

 

hubertzw

Yes, it doesn't make sense. Can you show the policy ID 27 configuration?

jesse_fletcher

hubertzw

You need the policy with Application Control with action 'block'. I see your policy 27 has action 'pass'.

 

I just test it and it works fine on 6.2:

 

date=2019-06-24 time=23:46:49 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="warning" vd="root" eventtime=1561445209 appid=17405 srcip=10.0.1.10 dstip=104.154.127.47 srcport=49642 dstport=443 srcintf="port3" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=1917 applist="spotify-test" appcat="Video/Audio" app="Spotify" action="block" hostname="www.spotify.com" incidentserialno=1399263240 url="/" msg="Video/Audio: Spotify," apprisk="medium"

jorge_americo

 

Try removing the override. and block the category. This test is just to see if it can be some problem in the override.

NSE-4

NSE-4
jesse_fletcher

jorge.americo wrote:

 

Try removing the override. and block the category. This test is just to see if it can be some problem in the override.

 

Tried this and the same thing occurs, log entry shows Spotify entry with pass and the policy with ID 27. It also shows under the log details the Application Control with the sensor with name "Default" which is not what is assigned to policy 27. I've disabled app control on the policy and re-enabled to test and the same thing occurs. The wrong app control sensor is assigned to the policy 27.

jorge_americo

ok. now I see a thing. try without webfilter option.

NSE-4

NSE-4
jesse_fletcher

No difference after disabling web filter on policy 27.

Labels
Top Kudoed Authors