Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tazio
New Contributor III

How to block specific application

Hi,

I am trying to block specific applications example TeamViewer . I don't want anyone to access our network from outside or even using TeamViewer inside the network.

Also the are lots of other users who have admin access to their computers , so I cannot prevent them from downloading anything but i want to be able to prevent them from executing the install file example WireShark.

I have tried reading on the forum but the documents does not match exactly what i want.

The firmware version for my FortiGate 100F is v6.4.9 build1966(GA)

 

Thanks

Tazio

 

5 REPLIES 5
pminarik
Staff
Staff

This will be highly dependent on what exact application you have in mind. Here are a couple options, in no particular order:

 

1, Deny policy targetting ISDB destinations
A well-known app with known IP:port lists can be blocked by an explicity DENY policy with the destination set to the ISDB entry relevant to the application. E.g. TeamViewer-TeamViewer.

pminarik_0-1668162294921.png

 

2, Application Control signature blocking

Well-known applications may also have pre-made signatures. Those can be set to block in an Application Control UTM profile, which you can then apply to your internet-access firewall policies.

pminarik_1-1668162384168.png

 

3, If the app is HTTPS/DNS dependent (must resolve some FQDN to function, or uses standard HTTPS for communication), you may be able to get away with simply blocking the relevant FQDNs with DNS filter or webfilter. (e.g. add static URL filter entries with block action)

 

4, For custom/less known apps: If you're crafty enough and have some knowledge of the application's protocol(s), you may be able to create your own custom IPS signature to block the application with Application Control. Documentation here

 

5, Alternatively, if the signature doesn't exist yet and you think other users would benefit from it being made, you can submit a request for a new AppControl signature here.

 

Note: With signature-based blocking, you may or may not need to utilise deep packet inspection (HTTPS/TLS decryption).

[ corrections always welcome ]
mbenitez
New Contributor

Hi, I need block  all protocolls except mqtt of una VIP that are published to internet. The requeriment is block all protocol in the direccion from WAN (internet) -> to LAN, I wonder if is posible use the aplication control in this direction, I saw tha the aplication control has the signature to mqtt protocol and, I tried to appy the aplication control in the firewall rules with all signatures applied and on exception on the mqtt protocoll, but  that didn't work. Any ideas??

Thanks and happy new year.

nweckel

"The requeriment is block all protocol in the direccion from WAN (internet) -> to LAN" This is the default behavior of a firewall.

You need to manually configure what kind of traffic you want to allow. Basic config in your case:

Create a Virtual IP (DNAT) for traffic from WAN to LAN. In firewall policy, filter sources that are allowed access from the Internet. In services, only allow TCP ports 1883 and 8883 (for MQTT protocol). Those filters are also available in VIP config. In destination of firewall policy, set your VIP. Then you can apply UTM filters (AV, IPS...) in firewall policy.

maulishshah

@mbenitez ,

 

If you would like to block all protocol except MQTT then you might have to create a VIP policy with specific services also you can use port forwarding 

 

Here is the sample image.

 

 
 

Capture1.PNG

Maulish Shah
vbandha
Staff
Staff

@mbenitez 

Just to add one clarification, Fortigate will block traffic originating from outside (WAN) to LAN unless you specifically create a Firewall Policy to allow it.

However if the traffic is initiated from LAN-> WAN, the reply to the traffic from WAN to LAN will be allowed.

So in your requirement, it all depends on who is initiating the traffic. 

 

You can also create a local in policy to block traffic coming from WAN to LAN. Here is more information about the same:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/363127/local-in-policy

 

Regards,

Varun

Labels
Top Kudoed Authors