Network Protocol Enforcement, a feature within the Application Control profile, determines the action for traffic on standard ports when no specific application signature is matched. If peer-to-peer traffic on its known port is not identified by a signature, this setting acts as a fallback. If protocol enforcement for P2P is not configured to block, the FortiGate may permit the traffic based on the firewall policy's allowed service/port, thus bypassing the intended category block. This is a common reason for application control rules failing to block traffic that uses well-known ports.

A. FortiGuard category ratings classify applications. The issue described is a failure to enforce a block action, not an incorrect application classification.

B. Application and Filter Overrides are used to change the action for specific, named applications, whereas the problem described affects a general category of traffic.

D. Replacement Messages are displayed for traffic that has already been successfully blocked; they do not influence the block or allow decision itself.

1. FortiOS 7.6.0 Administration Guide

Security Profiles > Application Control > Protocol enforcement. The guide states

"You can configure protocol enforcement to block traffic for specific protocols that use standard destination ports

even if the traffic does not match any application signatures." This section details how to configure the setting to block protocols like P2P that are not identified by a signature but are using their standard ports.

2. Fortinet Certified Professional - Network Security 7.6 Study Guide

Chapter: Application Control. The study guide explains that protocol enforcement is a necessary check when traffic on well-known ports is bypassing application control rules. It clarifies that this feature provides a default action for traffic on standard ports that the application signature engine fails to identify.