Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Network_Engineer
New Contributor III

How Do I Prevent My End Users From Using VPN

As in they are not supposed to install and use third party VPN.

Only allow own firewall VPN connections. 

5 REPLIES 5
Muhammad_Haiqal

Hi there,

There are 2 requirements i can see here:

1. Block install VPN application on the PC level

2. Allow own firewall VPN connection << What do you mean by this?

 

For number 1, This should be block by endpoint control like Forticlient.

For number 2, Are you referring to Forticlient or IPSEC VPN on the Fortigate itself?

 

haiqal
Network_Engineer

Hi,

Isnt forticlient a VPN client? How does it prevent users from installing another VPN client?

 

For number 2, allow own firewall vpn connection, I mean the firewall and SSL and ipsec vpn configured. 

Endusers should only use these VPNs and not that of third parties.

Is there any way to prevent this? 

Muhammad_Haiqal

Hi there,

Free Forticlient only support VPN features. For full endpoint control to manage your PC, this required paid version.

 

To block VPN, Proxy traffic in your network, you may use Application control.
This is a good sharing from our fan:
https://www.youtube.com/watch?v=l5crGRzytfs (Note: This is external link for your reference)
You can block the category instead of specific application.

haiqal
JWiebe
New Contributor
pminarik
Staff
Staff

FortiGate can't block an endpoint from installing VPN software. It's a firewall/router/etc. not an endpoint agent doing compliance enforcement. At best you may try to block access to known websites that offer VPN software downloads (or block VPN-related keywords with webfilter), but that is a fool's errand since these installers can be served from any arbitrary server. You'll never catch them all. (and a laptop user could just download one when not connected through your FortiGate anyway)

 

What you could do is try to block VPN usage with Application Control. You could start by blocking the "Proxy" category (covers all VPN-related signatures), and then tweak further. Keep in mind that you may need to enable deep SSL inspection on everything if you need to be thorough in blocking. (this may become very taxing on the FortiGate performance, depending on the model and total throughput)

 

Ultimately, in my personal opinion, you'll achieve the best results by enforcing tighter control on the endpoints themselves - by blocking users from installing arbitrary applications, using some endpoint enforcement/protection software, etc.

[ test signature, please ignore ]