Description
This article describes how to block NordVPN using a custom application signature in FortiGate. It provides a solution for cases where NordVPN is not being blocked by standard application control profiles.
Scope
FortiGate.
Solution
- Create a Custom Signature.
- Go to Security Profiles -> Application Control -> Custom Signatures -> Create New.
- Define the signature with the following parameters:
F-SBID( --name 'NordVPN.Custom';--protocol tcp;--service SSL;--app_cat 6;--weight 15;--pattern nord;--context host;--no_case;--pcre /nord(vpn|sec|account|auth)\x2ecom/i;)
-
- Apply the Custom Signature in an Application Control Profile:
- Go to Security Profiles -> Application Control.
- Select the desired profile and add the custom signature.
- Ensure the action for the signature is set to Block.
- CLI configuration example:
config application list
edit "block-nordvpn"
config entries
edit 1
set application "NordVPN.Custom"
set action block
next
end
- Attach the Application Control Profile to a Firewall Policy:
- Select the firewall policy that handles the relevant traffic.
- Enable the application control profile for the policy.
- For encrypted VPN traffic, enable SSL Deep Inspection to ensure detection.
- CLI configuration example:
config firewall ssl-ssh-profile
edit "deep-inspection" <----- Or clone and customize as needed.
set ssl-inspection enable
next
end
Apply it to the policy:
config firewall policy
edit <policy-id> <----- ID of the relevant outbound policy.
set application-list "block-nordvpn"
set ssl-ssh-profile "deep-inspection"
next
end
- Verify Blocking.
- Attempt to establish a NordVPN connection from a client machine.
- Monitor logs or packet captures to confirm that the VPN traffic is blocked.
