Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff

Created on ‎08-07-2022 10:14 PM Edited on ‎02-05-2025 06:37 AM By Moderator

Article Id 220170

Technical Tip: How to block third party VPN

Description

 

This article describes how to block an end user from using third-party VPN services.

 

Scope

 

FortiOs.

 

Solution

 

To block the third-party VPNs, set the category 'Proxy' and the signatures, 'IKE' and 'ISAKMP' to Block in application control, this should block most VPNs.

 

PPTP, L2TP signature falls under proxy category so it will cover VPN using those protocols.

Also make sure to use deep inspection in the firewall policy.

 

Find the configuration to be done on the FortiGate:

 

 

  1. Firewall Policy.

 

 

From the GUI:

 

sjoshi_0-1659895520060.png

 

From the CLI:

 

config firewall policy

    edit 1

        set name "Internet-Access"

        set uuid 6759f40a-1672-51ed-ecd6-6344b9113347

        set srcintf "port2"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "deep-inspection"

        set application-list "default"

        set logtraffic all

        set nat enable

    next

end

 

 

  1. Application control profile:

 

 

sjoshi_1-1659895561514.png

 

  • If the VPN APP changes frequently how it connects it may be categorized as "Unknown Applications", in those cases this category should also be blocked.

 

 

  1. SSL inspection considerations:

 

  •  Some VPNs use different ports then default ones, in other for FortiGate to be able to inspect the traffic for those arbitrary ports 'Inspect all ports' should be enabled.
  • Enable the following features can help make sure the deep inspection feature will effectively be used for all connections:
    • Enforce SSL cipher compliance.
    • Enforce SSL negotiation compliance.

 

2025-02-04_11-37.png

 

 

  1. Create a top rule to block traffic to a known Internet Service Database (ISDB) - (Optional):

 

 

Related links:

For an explanation of the reasons for using deep inspection, refer to the FortiGate documentation's 'Deep inspection' section.

How to import CA certificates into Android devices: Technical Tip: How to import FortiGate CA certificates into Android devices

Technical Tip: Extended logging for SSL traffic.

 

If any of the VPN signature is not available in the application control signature list, it is then also possible to use a custom application signature. How to implement custom application signature:
Creating IPS and application control signatures
Blocking applications with custom signatures - FortiGate administration guide

21796
Suggest New Article
Article Feedback
Comments
laltuzar
Staff
Staff
‎02-05-2025 04:46 PM

Excellent post. I was trying to block a VPN (NordVPN) that some clients were using on their phones to workaround the web filter I had configured. After following the instructions from this post, issue resolved. Thanks a lot!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.