Fortigate firewall: How to configure Application Control to block application access

1.The purpose of the article

In this article, Techbast will show you how to configure Application Control to prevent users from accessing unwanted applications.



We have a Fortinet firewall device connected to the internet at port wan1 with a static IP of 115.78.x.x.

The LAN subnet of the Fortinet device is configured at port internal3 with an IP of and has DHCP configured to allocate to devices connected to it.

Finally, Computer 1 receives DHCP from Fortinet with IP

On this Fortinet device, policies, NAT, routing, etc. have been configured so that computers in the LAN such as Computer 1 can access the internet.


Techbast will configure the Application Control feature to block access to facebook applications and block game-related applications.

4.What to do

  • Check the Application Control license again.
  • Create Application Control profile.
  • Assign the Application Control profile to policy.


5.1.Check the Application Control license again.

First to configure and use the Application Control feature on Fortinet we need to make sure that the Fortinet firewall device has the Application Control license enabled.

To check we go to System > Feature Visibility.

At the Security Feature we need to make sure that the Application Control feature is enabled.

5.2.Create Application Control profile

After making sure that the Application Control license is activated, to use the feature we need to create an Application Control profile.

The Application Control profile is where we can optionally add or remove custom categories and applications to the list of applications that we want to block.

To create an Application Control profile we go to Security Profile > Application Control > click Create New.

First we need to name it, here we will name it block-app.

In the Categories section we will have a list of the application categories that Fortinet has classified.

As the configuration situation mentioned above we will block access to game-related applications.

In the Game category, we click on the down arrow icon and select Block to prevent access to game-related applications in this category.

In addition, you can also see details in this Game category, what applications are included by clicking the down arrow and selecting View Signatures.

Coming to the request number 2 is to prevent access to the facebook application, also at the Application Control profile block-app, you scroll down to the Application and Filter Overrides section.

Then click Create New and fill in the following parameters:

  • Type: select Application
  • Action: select Block
  • Search: type facebook.
  • Application Signature: choose Facebook application and then click Add Selected.
  • Click OK.

We will then see that the Facebook application has been added to the table at Application and Filter Overrides.

After completing the requirements according to the configuration situation, we click OK to save the Application Control profile.

5.3. Assign Application Control profile to policy

After we have created the Application Control profile, we need to add our policy to allow users in the internal network to access the internet.

To add us to Policy & Object > Firewall Policy >   double-click on the policy that allows internet access to edit.

We scroll down and notice in the Security Profiles section, we need to tick the switch at Application Control to enable this feature for the policy and then select the Application Control profiles block-app that we created earlier.

Then press OK to save.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.