Description
This article describes how to block end user to use third party VPN services.
Scope
FortiOs.
Solution
To block the third-party VPNs, set the category 'Proxy' and the signatures, 'IKE' and 'ISAKMP' to Block in application control.
That should block most, if not all the VPNs are not found.
PPTP, L2TP signature falls under proxy category so it will cover VPN using those protocols.
Also make sure to use deep inspection in the firewall policy.
Find the configuration to be done on the FortiGate:
1) Firewall Policy
From GUI:
From CLI:
# config firewall policy
edit 1
set name "Internet-Access"
set uuid 6759f40a-1672-51ed-ecd6-6344b9113347
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set application-list "default"
set logtraffic all
set nat enable
next
end
2) Application control profile:
Related links.
The reason for using deep inspection:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/122078/deep-
How to import CA certificates into Android devices:
If any of the VPN signature is not available in the application control signature list, it is then also possible to use custom application signature.
How to implement custom application signature:
https://docs.fortinet.com/document/ipsengine/3.6.0/custom-ips-and-application-control-signature-synt...
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/233445/blocking-applications...
