Technical Tip: Block Telegram App and Web on FortiGate FortiOS 6.4.x

Description

This article describes that in FortiOS 6.4.x, both the Telegram Desktop App and Web Version cannot be blocked by DENYING its ISDB in the firewall policy.

This problem is seen occurring only in FortiOS 6.4.x and not in FortiOS 7.x.

FortiOS 6.4.x does not seem to have the correct ISDB for Telegram despite manually installing the latest ISDB.

Scope

Block Telegram Web and App version on FortiOS 6.4.x.

Solution

Link to check for updated IP Range: https://ipinfo.io/AS62041#block-ranges

Telegram IP range:

149.154.160.0/22
149.154.164.0/22
91.108.4.0/22
91.108.56.0/22
91.108.8.0/22
95.161.64.0/20

1) Create these IP ranges as an Address object. Policy & Objects -> Addresses -> Create New. Concatenate all created addresses into an Address Group.

2) Use it as a destination in the firewall DENY policy.

3) To block Telegram web effectively, use the wildcard expression *telegram* in both Web Filter and DNS Filter. Ensure these are then set to Block.

To add Telegram as the wildcard expression stated, need to enable 'Static URL Filter' in the Web Filter settings and 'Static Domain Filter' in the DNS Filter settings.

Note:

v5.0 up to v7.0 are out of engineering support. These commands might be different on higher versions.

Consider upgrading the firmware level on the device to a supported version (v7.2 up to v7.6) and check the firmware path and compatibility depending on the hardware: Upgrade Path Tool Table