- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Block application based on Hostname that has space...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Block application based on Hostname that has spaces
I'm looking for a way to block applications based on the "Hostname", but the "Hostname" has a space in it. For example, there is a Just Proxy VPN that is getting through our firewall. If I filter the Application Control log, the Application is SSL_TLSv1.2, and in the details, the Hostname is "Just Proxy VPN" and the URL is "/", and the Category is Network.Service. It uses different IP addresses and ports, so I can't block using those.
I can't block all of SSL_TLSv1.2, but I want to block any application using hostname= "Just Proxy VPN". I can filter for it in the logs, but I can't seem to setup a block for it. Is there a way to create an Application using this information to then block it?
Here is a detail log for one instance:
itime=2017-04-10 20:44:54 vd=root app=SSL_TLSv1.2 date=2017-04-10 dstip=139.59.64.226 apprisk=medium group=FSSO_NoNetscape service=tcp/7624 proto=6 eventtype=app-ctrl-all devid=FG1K5D3I15800570 dstintf=port25 applist=BlockYouTube msg=Network.Service: SSL_TLSv1.2, dstport=51229 type=utm dtime=2017-04-10 20:44:54 devname=HA-Group dstname=139.59.64.226 appid=41540 sessionid=847504567 profiletype=applist user=NWEA-DT srcintf=port28 srcip=10.4.48.48 level=information url=/ appcat=Network.Service srcport=49567 logid=1059028704 subtype=app-ctrl time=20:44:54 action=pass itime_t=1491875094 hostname=Just Proxy VPN policyid=83
Thanks,
Michelle
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Michelle,
The --pattern syntax parses space, " ", like any other char. A custom Application Control signature for your case is:
F-SBID( --name "JustProxy.VPN.Custom"; --protocol tcp; --app_cat 6; --weight 10; --service SSL; --pattern "Just Proxy VPN"; --context host; --no_case; )
This is one way to block VPNs that use SSLVPN with their self-signed certificates. We try to cover as completely as we can the VPNs that can be downloaded and used to bypass our signatures. One case that is not as easy to cover is VPNs that use self-signed certificates. The reason is there are infinite possibilities when it comes to a self-signed certificate - certificate generators can create a certificate with completely random values within the constraints of the framework of a SSL Certificate.
The best solution (might not be plausible in your environment) is to block Untrusted SSL Certificates. Just want to let you know of the possible solutions for your case. Thanks!
HoMing
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Michelle,
The --pattern syntax parses space, " ", like any other char. A custom Application Control signature for your case is:
F-SBID( --name "JustProxy.VPN.Custom"; --protocol tcp; --app_cat 6; --weight 10; --service SSL; --pattern "Just Proxy VPN"; --context host; --no_case; )
This is one way to block VPNs that use SSLVPN with their self-signed certificates. We try to cover as completely as we can the VPNs that can be downloaded and used to bypass our signatures. One case that is not as easy to cover is VPNs that use self-signed certificates. The reason is there are infinite possibilities when it comes to a self-signed certificate - certificate generators can create a certificate with completely random values within the constraints of the framework of a SSL Certificate.
The best solution (might not be plausible in your environment) is to block Untrusted SSL Certificates. Just want to let you know of the possible solutions for your case. Thanks!
HoMing
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!! I'm going to add this and see if that starts blocking it. This helps me understand better how to create custom signatures too.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I added that one and a couple more that were getting through - I mistakenly thought that because I set the app_cat to 6 ("Proxy") which is already a blocked category that would be enough. But I had to explicitly add that custom signature to my Application policy...and then the "Application" changed from "SSL_TLSv1.2" & pass to "JustProxy.VPN.Custom" and "block".
I did that for api.phantom.avira-vpn.com which was also showing up as "HTTPS.BROWSER", and YogaVPN...I know it's a losing battle in the end since there are so many, but the more I can knock down here the more we can concentrate on using our internet for actual educational use instead.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Michelle,
Yes, you have to add custom signatures explicitly even though it has the app_cat set to 6. We received your email and have replied to you about Avira and JustProxy. With regards to YogaVPN, we are in the process of adding a signature for it. We have a signature for it but it has some False Positive risk and therefore we have not release it out. We are still working on it. If you would like a signature for it now, here's the custom signature:
F-SBID( --name "yoga.tcp.custom"; --protocol tcp; --flow from_client; --src_port 10000:; --data_size 23; --pattern !"|00 00|"; --context packet; --pattern !"HTTP"; --no_case; --context packet; --pattern !"|16 03|"; --context packet; --distance 0,context; --within 2,context; --seq =,1,relative; --app_cat 6; --weight 20;) HoMing
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked for a while...but then it seemed to break my HA so I removed them. I switched from Active-Active to Active-Passive until I can get upgraded to 5.6 to see if that helps my HA (waiting on Fortianalyzer 5.6 firmware).
In the meantime, I took out my custom VPN signatures, but I have to add them again. There are just too many proxy VPN sites that our students are finding that I need to block, which aren't known by Fortinet yet.
Your custom pattern for YogaVPN doesn't appear to list the hostname anywhere. How does that custom signature know to block the YogaVPN instead of another hostname?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Michelle,
>>This worked for a while...but then it seemed to break my HA so I removed them. I switched from Active-Active to Active-Passive until I can get upgraded to 5.6 to see if that helps my HA (waiting on Fortianalyzer 5.6 firmware).
Did you check with support to see if they could diagnose the problem?
>>Your custom pattern for YogaVPN doesn't appear to list the hostname anywhere. How does that custom signature know to block the YogaVPN instead of another hostname?
YogaVPN uses a different protocol. It uses a HTTPS connection to get some servers and it has a list of hardcoded servers in the binaries. Therefore, the custom signature I provided you do not have the hostname. We have pushed new signatures for YogaVPN into the official database. It is going through the beta stage and should be released this week.
>>In the meantime, I took out my custom VPN signatures, but I have to add them again. There are just too many proxy VPN sites that our students are finding that I need to block, which aren't known by Fortinet yet.
Do you have the names of the VPNs? In my previous reply, I told you about blocking Untrusted SSL Certificates. Is that solution possible for the policies for the students?
HoMing
Related Posts
- DNS Server not resolving internal IP's 324 Views
- Problem using Application Control in FortiProxy... 1098 Views
- ForitGate API access_token 1005 Views
- Bug: FortiOS CLI bad format string... 1589 Views
- FortiClient IPsec VPN on Razer Blade... 1269 Views
Labels
-
FortiGate
6,556 -
FortiClient
1,307 -
5.2
801 -
5.4
639 -
FortiManager
565 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
264 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
FortiConnect
24 -
SD-WAN
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
IP address management - IPAM
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.