Skip to main content
mhdganji
mhdganji
Explorer III
April 11, 2022
Solved

Create rules for applications based on signatures based on their application hash or signature

  • April 11, 2022
  • 3 replies
  • 7261 views

Hi,

Simply this is I need to do:

 

I like to filter and decide about connections to a destination based on the port, protocol and the application if possible. Two things in my wish list which I elaborate by an example:

 

1- I need to disable RDP on any port not just 3389 which is the default.

2- I wish to limit SSH connections to a server just to those who are established via Putty.exe file

 

Any help would be appreciated.

 

Regards,

Best answer by Yurisk

Fortigate IPS/AppControl controls applications mostly by protocol, rarely additionally by the app name. If you can come up with unique to putty traffic pattern, then you can create custom IPS/AppControl signature and use it to block this traffic.

 

RDP FGT blocks as a  protocol, so it will block if blocked by policy on any port, depending on the protocol settings (set to Any Port), no need to reinvent the wheel here. 

3 replies

AlexC-FTNT
Staff
AlexC-FTNT
Staff
April 12, 2022

For both of these filters to work, you must use a policy with deep-inspection profile.

Application control can block RDP traffic:

AlexCFTNT_0-1649747543066.png

But Putty or other SSH clients do not have separate signatures or hash, so you can't differentiate them. You can either block all SSH traffic or not. 

    mhdganji
    mhdganjiAuthor
    Explorer III
    April 12, 2022

    Hi,

     

    Thanks for the answer. About the SSH thing, is that a general rule or just refers to Putty and SSH. For instance, is there any RDP client software to be used to remote desktop to a windows system other than mstsc.exe so we can make the server to just enable RDP connections from that app (and so block general attacks on mstsc.exe RDP client)

    And if yes, is there any chance to separate traffics produced by these clients and block one of them?

     

    Regards,

     

     

     

    Yurisk
    SuperUser
    YuriskAnswer
    SuperUser
    April 12, 2022

    Fortigate IPS/AppControl controls applications mostly by protocol, rarely additionally by the app name. If you can come up with unique to putty traffic pattern, then you can create custom IPS/AppControl signature and use it to block this traffic.

     

    RDP FGT blocks as a  protocol, so it will block if blocked by policy on any port, depending on the protocol settings (set to Any Port), no need to reinvent the wheel here. 

      mhdganji
      mhdganjiAuthor
      Explorer III
      April 14, 2022

      How can I find if Putty (or any app) has a specific pattern?

      Yurisk
      SuperUser
      Yurisk
      SuperUser
      April 21, 2022

      In theory you can do packet sniffer on Fortigate while connecting with Putty and try to look at the hexdump of the capture in Wireshark in hope to find some specific to putty strings/values/etc. THere is no guarantee that you will find them, of course, but may be worth the try.

      Terms & ConditionsAccessibility statement