Created on
09-25-2024
11:24 PM
Edited on
07-09-2025
05:02 AM
By
Anthony_E
Description
This article describes the procedure to block X-VPN.
Scope
FortiGate v7.0,v 7.2. v7.4.
Solution
Proxy applications such as (X-VPN) are constantly being updated and, therefore, FortiGate blocking is a 'best effort' practice, which means that a 100% blocking success rate is not guaranteed, this is due to multiple factors including new patterns, domains registered, proxy server IPs, etc.
Application updates may result in being able to bypass the FortiGate detection mechanisms, the FortiGuard team is tirelessly working to ensure that any new update is immediately met with a new signature update as well as quickly as possible to block these connection attempts.
execute update-now
After confirming that FortiGate Databases are updated, configure a Web Filter profile in proxy mode as the next (category-based actions can be by default): Security Profiles -> Web Filter.
See the next configuration (5 samples of custom IPS signatures):
F-SBID(--name "XVPN.TLS1.3.Custom1"; --protocol tcp; --app_cat 6; --weight 15; --service SSL; --flow from_server; --tag test,Tag.PotatoVPN.TLS.ClientHello; --pattern "|160303|"; --context packet; --within 3,context; --pattern "|02|"; --context packet; --distance 2; --within 1; --pattern "|0303|"; --context packet; --distance 3; --within 2; --pattern "|20|"; --context packet; --distance 32; --within 1; --pattern "|14030300010117030313|"; --context packet; --within 300; --depend-on 38941; --depend-on 16074; --depend-on 15896; --depend-on 42533; --scan-range 2k,all;)
F-SBID( --name "X-VPN.NTP.Client.Custom"; --protocol udp; --flow from_client; --dst_port 123; --udp[8] & 0x38 >= 0x08; --udp[8] & 0x38 <= 0x20; --udp.length & 3 = 0; --weight 20; --app_cat 6; )
F-SBID( --name "X-VPN.NTP.Server.Custom"; --protocol udp; --flow from_server; --src_port 123; --udp[8] & 0x38 >= 0x08; --udp[8] & 0x38 <= 0x20; --udp.length & 3 = 0; --weight 20; --app_cat 6; )
F-SBID( --name "XVPN.api.ssl.custom"; --protocol tcp; --app_cat 6; --weight 20; --service SSL;--pattern "tbunet.com"; --context host; --no_case; )
F-SBID( --name "XVPN.api.http.custom"; --protocol tcp; --app_cat 6; --weight 20; --service HTTP; --parsed_type HTTP_POST; --pattern "POST /ClientApi "; --context uri; --no_case; --within 16,context; )
Configure the next parameters:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.