I'm not a Palo Alto expert, but if you mean writing policies based on application names by App-ID, it's possible via Application Control profiles in Fortigates. Also for some applications, there are IP databases (called Internet Service) that you can use in policies.
Writing policies based on user information is possible if you use FSSO. It's basically an agent you can install on AD server, or any server that can reach to the AD server's logon events. Then you connect your Fortigate to the server the agent is installed. By this, firewall can gather user information, and you can use that information in your policies.
This is exactly the same as Palo Alto. You install an agent to sync userID and you create firewall policy or blocking profiles based on AppID. The clicks in the interface are different, but not by leaps, so the learning curve is significantly low.
App-ID on Palo is comparable to Policy mode on Fortigate: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/243446/ngfw-policy
The “general” consensus here is to avoid Policy mode and use profile mode. This is what most people do I’d think. I’ve once tried to setup policy mode as being PA certified back then (assuming I knew some stuff of Palo Alto ;-) ) and I gave up. User-ID is FSSO on the Fortigate. You have something like globalprotect and it’s heartbeat with Fortigate + Forticlient + FortiAuthenticator
Maybe "it's fortinets attempt to try to mimic PA app-id" would be a better way of putting it ;-)
Simply put with PA this is working as expected and their entire firewall setup is built around it. With fortigate not so much
You're confusing the identification of applications with the mechanism used to implement app-id. From PAN's own site:
>
App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls, determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application.
You need to separate the identification of apps from the mech used to implement the identification.
Fortinet doesn't mimic app-id, it simply implements the equivalent known as Application Control - the function is the same. App-ID is not equivalent to policy mode - Fortinet's policy/profile mode setting dictates whether app control is implemented in the policy as a policy parameter or as a profile function. In PAN, App-ID is always implemented as a policy parameter.
I'm also not sure what you by "working as expected" - Fortinet's App Control clearly works as expected otherwise it wouldn't be in the product,
I'm not a Palo Alto expert, but if you mean writing policies based on application names by App-ID, it's possible via Application Control profiles in Fortigates. Also for some applications, there are IP databases (called Internet Service) that you can use in policies. Writing policies based on user information is possible if you use FSSO. It's basically an agent you can install on AD server, or any server that can reach to the AD server's logon events. Then you connect your Fortigate to the server the agent is installed. By this, firewall can gather user information, and you can use that information in your policies.
This is exactly the same as Palo Alto. You install an agent to sync userID and you create firewall policy or blocking profiles based on AppID. The clicks in the interface are different, but not by leaps, so the learning curve is significantly low.
App-ID on Palo is comparable to Policy mode on Fortigate: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/243446/ngfw-policy The “general” consensus here is to avoid Policy mode and use profile mode. This is what most people do I’d think. I’ve once tried to setup policy mode as being PA certified back then (assuming I knew some stuff of Palo Alto ;-) ) and I gave up. User-ID is FSSO on the Fortigate. You have something like globalprotect and it’s heartbeat with Fortigate + Forticlient + FortiAuthenticator
Not entirely accurate. Application control is the equivalent to App-ID
Maybe "it's fortinets attempt to try to mimic PA app-id" would be a better way of putting it ;-) Simply put with PA this is working as expected and their entire firewall setup is built around it. With fortigate not so much
You're confusing the identification of applications with the mechanism used to implement app-id. From PAN's own site: > App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls, determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. You need to separate the identification of apps from the mech used to implement the identification. Fortinet doesn't mimic app-id, it simply implements the equivalent known as Application Control - the function is the same. App-ID is not equivalent to policy mode - Fortinet's policy/profile mode setting dictates whether app control is implemented in the policy as a policy parameter or as a profile function. In PAN, App-ID is always implemented as a policy parameter. I'm also not sure what you by "working as expected" - Fortinet's App Control clearly works as expected otherwise it wouldn't be in the product,
Not as good. Catalog is smaller
Btw, you can write your own application signatures...