Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nweckel
Staff
Staff

Created on ‎07-25-2024 08:15 AM Edited on ‎11-26-2024 01:59 AM By Moderator

Article Id 327935

Technical Tip: How to allow TeamViewer incoming/outgoing requests only

Description This article describes how to configure FortiGate to allow a client to send/receive TeamViewer connections.
Scope FortiGate.
Solution

Using TeamViewer, a user can initiate a remote connection to another host using TeamViewer's partner ID or can allow a remote host to connect to the local host.

 

To allow incoming Teamviewer connections only:

In Application Control, three Application Signatures are defined for TeamViewer:

  • TeamViewer: This signature indicates an attempt to access TeamViewer.
  • TeamViewer_CallReceive: This signature indicates an attempt to receive a remote connection on TeamViewer.
  • TeamViewer_CallRequest: This signature indicates an attempt to connect to a partner ID on TeamViewer.

 

For this scenario, all categories are blocked in Application Control.

Under Application Control -> Application and Filter Overrides, only defining the signature TeamViewer_CallReceive to 'allow' (or 'monitor') will not permit the TeamViewer client to connect and will result in the following error:

 

notready.PNG

 

The TeamViewer signature must also be configured to allow connection to TeamViewer servers.

However, after configuring the signatures TeamViewer to 'allow' (or 'monitor') and TeamViewer_CallReceive to 'allow' (or 'monitor') under Application Control -> Application and Filter Overrides, it will be possible to receive TeamViewer connections from a remote host, but it will also be possible to initiate a remote connection to a TeamViewer's partner ID.

Therefore, the TeamViewer_CallRequest signature must explicitly be blocked.

 

Below is the Application Control -> Application and Filter Overrides configuration to only allow incoming TeamViewer connections:

 

override.PNG

 

Below is the Application Control configuration in the CLI.

 

config application list

    edit "TeamViewer_Incoming"

        set other-application-log enable
        set enforce-default-app-port enable
        set unknown-application-action block
        set unknown-application-log enable
            config entries

                edit 1

                    set application 39632
                    set action pass

                next
                edit 2

                    set application 39630

                next
                edit 3

                    set application 15921
                    set action pass

                next
                edit 4

                    set category 2 3 5 6 7 8 12 15 17 21 22 23 25 26 28 29 30 31 32 33

                next

            end

    next

end 

 

Note: The same logic can be applied to allow only connection to a TeamViewer's partner ID by configuring TeamViewer_CallRequest to 'allow' (or 'monitor') and TeamViewer_CallReceive to 'block'.

 

To allow outbound TeamViewer connections only (from LAN to WAN):

Configure the 'Application and Filter Overrides' section under the Application Control profile as shown below.

 

Teamviewer.jpg
994
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.