Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

Create rules for applications based on signatures based on their application hash or signature

Hi,

Simply this is I need to do:

 

I like to filter and decide about connections to a destination based on the port, protocol and the application if possible. Two things in my wish list which I elaborate by an example:

 

1- I need to disable RDP on any port not just 3389 which is the default.

2- I wish to limit SSH connections to a server just to those who are established via Putty.exe file

 

Any help would be appreciated.

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
1 Solution
Yurisk
Valued Contributor

Fortigate IPS/AppControl controls applications mostly by protocol, rarely additionally by the app name. If you can come up with unique to putty traffic pattern, then you can create custom IPS/AppControl signature and use it to block this traffic.

 

RDP FGT blocks as a  protocol, so it will block if blocked by policy on any port, depending on the protocol settings (set to Any Port), no need to reinvent the wheel here. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
7 REPLIES 7
AlexC-FTNT
Staff
Staff

For both of these filters to work, you must use a policy with deep-inspection profile.

Application control can block RDP traffic:

AlexCFTNT_0-1649747543066.png

But Putty or other SSH clients do not have separate signatures or hash, so you can't differentiate them. You can either block all SSH traffic or not. 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
mhdganji

Hi,

 

Thanks for the answer. About the SSH thing, is that a general rule or just refers to Putty and SSH. For instance, is there any RDP client software to be used to remote desktop to a windows system other than mstsc.exe so we can make the server to just enable RDP connections from that app (and so block general attacks on mstsc.exe RDP client)

And if yes, is there any chance to separate traffics produced by these clients and block one of them?

 

Regards,

 

 

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
mhdganji

Is that Putty and SSH protocol which you're going to say has no signature? What I'm trying to get is that do all SSH clients have no specific pattern and why? does this apply to hmm let's say all RDP clients too?

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
mnoraizikram

Hello! Could you please share the some signatures for anydesk application for a application control or IPS. Actually i want to add this application in our NGFW USG6000V beacuse by default it's not present in it's database and i want to block this anydesk application specifically. If anyone could help me in this regards that would be highly appreciated !

Yurisk
Valued Contributor

Fortigate IPS/AppControl controls applications mostly by protocol, rarely additionally by the app name. If you can come up with unique to putty traffic pattern, then you can create custom IPS/AppControl signature and use it to block this traffic.

 

RDP FGT blocks as a  protocol, so it will block if blocked by policy on any port, depending on the protocol settings (set to Any Port), no need to reinvent the wheel here. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
mhdganji

How can I find if Putty (or any app) has a specific pattern?

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
Yurisk
Valued Contributor

In theory you can do packet sniffer on Fortigate while connecting with Putty and try to look at the hexdump of the capture in Wireshark in hope to find some specific to putty strings/values/etc. THere is no guarantee that you will find them, of course, but may be worth the try.

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Labels
Top Kudoed Authors