Description
This article describes the procedure to block X-VPN.
Scope
FortiGate v7.0,v 7.2. v7.4.
Solution
Proxy applications such as (X-VPN) are constantly being updated and, therefore, FortiGate blocking is a 'best effort' practice, which means that a 100% blocking success rate is not guaranteed, this is due to multiple factors including new patterns, domains registered, proxy server IPs, etc.
Application updates may result in being able to bypass the FortiGate detection mechanisms, the FortiGuard team is tirelessly working to ensure that any new update is immediately met with a new signature update as well as quickly as possible to block these connection attempts.
- Ensure that FortiGate Databases are updated.
execute update-now
-
After confirming that FortiGate Databases are updated, configure a Web Filter profile in proxy mode as the next (category-based actions can be by default): Security Profiles -> Web Filter.
- Configure an application signature: Security Profiles -> Application Signatures -> Create New -> Custom Application Signatures.
See the next configuration (5 samples of custom IPS signatures):
F-SBID(--name "XVPN.TLS1.3.Custom1"; --protocol tcp; --app_cat 6; --weight 15; --service SSL; --flow from_server; --tag test,Tag.PotatoVPN.TLS.ClientHello; --pattern "|160303|"; --context packet; --within 3,context; --pattern "|02|"; --context packet; --distance 2; --within 1; --pattern "|0303|"; --context packet; --distance 3; --within 2; --pattern "|20|"; --context packet; --distance 32; --within 1; --pattern "|14030300010117030313|"; --context packet; --within 300; --depend-on 38941; --depend-on 16074; --depend-on 15896; --depend-on 42533; --scan-range 2k,all;)
F-SBID( --name "X-VPN.NTP.Client.Custom"; --protocol udp; --flow from_client; --dst_port 123; --udp[8] & 0x38 >= 0x08; --udp[8] & 0x38 <= 0x20; --udp.length & 3 = 0; --weight 20; --app_cat 6; )
F-SBID( --name "X-VPN.NTP.Server.Custom"; --protocol udp; --flow from_server; --src_port 123; --udp[8] & 0x38 >= 0x08; --udp[8] & 0x38 <= 0x20; --udp.length & 3 = 0; --weight 20; --app_cat 6; )
F-SBID( --name "XVPN.api.ssl.custom"; --protocol tcp; --app_cat 6; --weight 20; --service SSL;--pattern "tbunet.com"; --context host; --no_case; )
F-SBID( --name "XVPN.api.http.custom"; --protocol tcp; --app_cat 6; --weight 20; --service HTTP; --parsed_type HTTP_POST; --pattern "POST /ClientApi "; --context uri; --no_case; --within 16,context; )
- Configure Application Control Profile: Security Profiles -> Application Control -> Create New.
Configure the next parameters:
- Add XVPN signature.
- Add the custom signature configured previously.
- Enable the next options:
- Block applications detected on non-default ports.
- Allow and Log DNS Traffic.
- QUIC <block>.
- Replacement Messages for HTTP-based Applications.
- After configuring the Web-Filter and Application Control Profile, configure the firewall Policy.
- Configure the next options on the firewall Policy.
- Inspection Mode -> Proxy.
- Web Filter -> XVPN.
- Application Control -> XVPN.
- SSL Inspection -> Deep Inspection.
- After configuring the firewall Policy, try to connect X-VPN, as a result, the application is intermittent, connect-disconnect and finally is not possible to navigate.
