Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
New Contributor III

Create rules for applications based on signatures based on their application hash or signature

Hi,

Simply this is I need to do:

 

I like to filter and decide about connections to a destination based on the port, protocol and the application if possible. Two things in my wish list which I elaborate by an example:

 

1- I need to disable RDP on any port not just 3389 which is the default.

2- I wish to limit SSH connections to a server just to those who are established via Putty.exe file

 

Any help would be appreciated.

 

Regards,

1 Solution
Yurisk
Valued Contributor

Fortigate IPS/AppControl controls applications mostly by protocol, rarely additionally by the app name. If you can come up with unique to putty traffic pattern, then you can create custom IPS/AppControl signature and use it to block this traffic.

 

RDP FGT blocks as a  protocol, so it will block if blocked by policy on any port, depending on the protocol settings (set to Any Port), no need to reinvent the wheel here. 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.

View solution in original post

6 REPLIES 6
AlexC-FTNT
Staff
Staff

For both of these filters to work, you must use a policy with deep-inspection profile.

Application control can block RDP traffic:

AlexCFTNT_0-1649747543066.png

But Putty or other SSH clients do not have separate signatures or hash, so you can't differentiate them. You can either block all SSH traffic or not. 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
mhdganji
New Contributor III

Hi,

 

Thanks for the answer. About the SSH thing, is that a general rule or just refers to Putty and SSH. For instance, is there any RDP client software to be used to remote desktop to a windows system other than mstsc.exe so we can make the server to just enable RDP connections from that app (and so block general attacks on mstsc.exe RDP client)

And if yes, is there any chance to separate traffics produced by these clients and block one of them?

 

Regards,

 

 

 

mhdganji
New Contributor III

Is that Putty and SSH protocol which you're going to say has no signature? What I'm trying to get is that do all SSH clients have no specific pattern and why? does this apply to hmm let's say all RDP clients too?

 

Yurisk
Valued Contributor

Fortigate IPS/AppControl controls applications mostly by protocol, rarely additionally by the app name. If you can come up with unique to putty traffic pattern, then you can create custom IPS/AppControl signature and use it to block this traffic.

 

RDP FGT blocks as a  protocol, so it will block if blocked by policy on any port, depending on the protocol settings (set to Any Port), no need to reinvent the wheel here. 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
mhdganji
New Contributor III

How can I find if Putty (or any app) has a specific pattern?

Yurisk
Valued Contributor

In theory you can do packet sniffer on Fortigate while connecting with Putty and try to look at the hexdump of the capture in Wireshark in hope to find some specific to putty strings/values/etc. THere is no guarantee that you will find them, of course, but may be worth the try.

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.