FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff
Article Id 220170
Description

 

This article describes how to block an end user from using third-party VPN services.

 

Scope

 

FortiGate.

 

 

To block the third-party VPNs, set the category 'Proxy' and the signatures, 'IKE' and 'ISAKMP', to Block in application control; this should block most VPNs.

 

PPTP, L2TP signature falls under the proxy category so it will cover VPN using those protocols. Ensure to use deep inspection in the firewall policy.

 

Find the configuration to be done on the FortiGate:

 

 

  1. Firewall Policy.

From the GUI:

 

sjoshi_0-1659895520060.png

 

From the CLI:

 

config firewall policy

    edit 1

        set name "Internet-Access"

        set uuid 6759f40a-1672-51ed-ecd6-6344b9113347

        set srcintf "port2"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "deep-inspection"

        set application-list "default"

        set logtraffic all

        set nat enable

    next

end

 

  1. Application control profile:

 

sjoshi_1-1659895561514.png

 

  • If the VPN APP changes frequently, how it connects may be categorized as 'Unknown Applications', in those cases, this category should also be blocked.

 

  1. SSL inspection considerations:
  •  Some VPNs use different ports from the default ones. For FortiGate, to be able to inspect the traffic for those arbitrary ports, 'Inspect all ports' should be enabled.
  • Enabling the following features can help make sure the deep inspection feature will effectively be used for all connections:
    • Enforce SSL cipher compliance.
    • Enforce SSL negotiation compliance.

 

2025-02-04_11-37.png

 

  • The certificate-inspection profile is not possible to edit. To apply the above settings, it is necessary to clone them and then customize the profile.

 

image.png

 

  1. Create a top rule to block traffic to a known Internet Service Database (ISDB) - (Optional):


Note:

There may be cases where firewall policy inspection-mode needs to be set to proxy-based. It is best to do preliminary tests first in a test policy with a specific source before implementing in the production firewall policy.

 

Related links:

For an explanation of the reasons for using deep inspection, refer to the FortiGate documentation's 'Deep inspection' section.

How to import CA certificates into Android devices: Technical Tip: How to import FortiGate CA certificates into Android devices

Technical Tip: Extended logging for SSL traffic

 

If any of the VPN signatures is not available in the application control signature list, it is then also possible to use a custom application signature. How to implement a custom application signature:
Creating IPS and application control signatures
Blocking applications with custom signatures - FortiGate administration guide

 
Comments
laltuzar
Staff
Staff

Excellent post. I was trying to block a VPN (NordVPN) that some clients were using on their phones to workaround the web filter I had configured. After following the instructions from this post, issue resolved. Thanks a lot!