Technical Tip: How to block third party VPN

Description

This article describes how to block end user to use third party VPN services.

Scope

FortiOs.

Solution

To block the third-party VPNs, set the category 'Proxy' and the signatures, 'IKE' and 'ISAKMP' to Block in application control.

That should block most, if not all the VPNs are not found.

PPTP, L2TP signature falls under proxy category so it will cover VPN using those protocols.

Also make sure to use deep inspection in the firewall policy.

Find the configuration to be done on the FortiGate:

1) Firewall Policy

From GUI:

From CLI:

# config firewall policy

    edit 1

        set name "Internet-Access"

        set uuid 6759f40a-1672-51ed-ecd6-6344b9113347

        set srcintf "port2"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "deep-inspection"

        set application-list "default"

        set logtraffic all

        set nat enable

    next

end

2)  Application control profile:

Related links.

The reason for using deep inspection:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/122078/deep-

How to import CA certificates into Android devices:

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-import-CA-certificates-into-Androi...

If any of the VPN signature is not available in the application control signature list, it is then also possible to use custom application signature.

How to implement custom application signature:
https://docs.fortinet.com/document/ipsengine/3.6.0/custom-ips-and-application-control-signature-synt...
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/233445/blocking-applications...