CCNA 200-301

CCNP Enterprise

CCNP Security

CCIE Enterprise Lab

CCIE Security Lab

CCNP Service Provider

CCNP Data Center

CCNP Collaboration

CCIE DC Lab

When network performance is your priority, or you’ve determined that FortiGate’s Application Control engine is no longer required for a particular policy or for your entire deployment, you’ll want a clear, repeatable process for turning it off. In this deep-dive, we’ll cover:

  1. What “closing” Application Control means
  2. GUI-driven steps to disable it globally or per-policy
  3. CLI-driven commands for scripting or automation
  4. Using automation tools (e.g. Ansible)
  5. Best practices & troubleshooting

Whether you’re a network engineer seeking to optimize throughput or a security architect refining your policies, this guide will ensure you can disable Application Control cleanly and confidently.

1. What Does “Closing” Application Control Mean?

FortiGate’s Application Control inspects traffic using signature and behavioral analysis to identify—and optionally block or shape—thousands of applications (YouTube, BitTorrent, IM clients, etc.). Disabling it can take one of two forms:

  • Global disable of the Application Control engine across all policies (effectively removing the CPU-intensive inspection).
  • Policy-level disable, where you leave the engine active but remove it from specific firewall policies.

In both cases, clients still connect as usual; traffic simply bypasses the DPI-based application signatures.

2. GUI-Based Disabling

2.1 Remove Application Control Profiles from Policies

  1. Log in to the FortiGate GUI (https://<firewall-ip>).
  2. Navigate to Policy & Objects → IPv4 Policy (or IPv6 Policy).
  3. For each policy you wish to “close”:
    • Click Edit, scroll to the Security Profiles section.
    • Under Application Control, switch the dropdown from your active profile to (None).
    • If you’re not using other UTM features (IPS, Web Filter), set Security Profiles altogether to Off.
  4. Click OK and repeat for all applicable policies.

This approach leaves the Application Control feature fully intact on the device (you can re-enable it at any time) but ensures that sessions matching those policies do not undergo DPI inspection.

2.2 Globally Disable the Engine

In FortiOS 7.6 and later, you can disable the Application Control DPI engine globally:

  1. Go to Security Profiles → Application Control.
  2. In the main pane, click Disable Application Control Engine at the top—this switch turns off all signature scanning across the unit.
  3. Save your changes.

Note: Not all FortiOS versions provide a single “global disable” toggle. If you do not see this option, rely on per-policy removal as above, or upgrade to a version that supports global toggling.

3. CLI-Based Disabling

For headless devices or scripted operations, the CLI commands below achieve the same outcome.

3.1 Policy-Level Removal

Remove the application-list setting from a specific policy:

config firewall policy
    edit <policy-id>
        unset application-list
        unset utm-status     # if IPS/Web-Filter/etc. also unset
    next
end

This empties the Application Control assignment. New sessions bypass the DPI engine.

3.2 Global Engine Shutdown (FortiOS 7.6+)

config system global
    set app-control-engine disable
end

If supported, this parameter stops the engine entirely. All policies, even those referencing profiles, will no longer inspect.

4. Automating with Ansible

If you manage many FortiGates or hundreds of policies, Ansible’s fortios_application_list module can toggle your profiles en masse. Here’s a snippet that disables deep application inspection—effectively “closing” Application Control: 

- name: Globally disable application control features
  fortinet.fortios.fortios_application_list:
    vdom: "root"
    access_token: "{{ token }}"
    state: "present"
    application_list:
      name: "default"
      deep_app_inspection: "disable"
      control_default_network_services: "disable"
      app_replacemsg: "disable"

Deep application inspection offloads DPI; replacement messages disabled prevents block-page injections.

To remove profiles from all policies:

- name: Remove application-list from all firewall policies
  fortinet.fortios.fortios_firewall_policy:
    vdom: "root"
    access_token: "{{ token }}"
    state: "present"
    policyid: 0     # “0” means apply to every policy
    application_list: ""

This unsets application-list for every policy in a single playbook run.

5. Best Practices & Troubleshooting

  • Staged Rollout
    First disable per-policy on a staging device, validate performance and functionality, then apply to production.
  • Logging & Monitoring
    Before removal, record current Application Control log rates (Log & Report → Application Control). After disablement, confirm logs cease—this verifies the engine is truly off.
  • Fallback Planning
    Keep a named backup of your current policy configuration: shell复制编辑execute backup config flash config_with_appctrl.conf
  • Session Flush
    Existing sessions may persist under the old inspection rules. To clear: shell复制编辑execute clear session all Note: this will interrupt all traffic briefly.
  • Version Considerations
    Not every FortiOS version includes the global engine toggle. If you require that feature, plan an upgrade path to FortiOS 7.6 or later.
  • Subscription Renewal
    Disabling Application Control does not affect your FortiGuard subscription. If you ultimately decide you no longer need Application Control at all, you may consider removing the associated subscription license—consult your Fortinet account team for that lifecycle step.
Please follow and like us:
Tweet
fb-share-icon
Last modified: May 22, 2025

Author

Comments

Write a Reply or Comment

Your email address will not be published.