Dear Community,
We have received a directive from our cybersecurity department to block all third-party VPN applications (such as Hotspot, SuperVPN, SpeedVPN, etc.) on Android and iPhone devices used by end users.
After reviewing the article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-third-party-VPN/ta-p/220170, we implemented the recommended settings. While we can confirm that ISAKMP traffic is being blocked, we have encountered an issue where the SuperVPN app on an Android device is still able to establish a connection.
Furthermore, we are unable to implement deep inspection for VPN traffic, as our cybersecurity team has explicitly denied this approach due to privacy concerns. As per the policy, no administrator is permitted to view unencrypted traffic.
We kindly request your assistance in resolving this issue and ensuring that all third-party VPN applications are effectively blocked, without the need for deep inspection.
Thank you for your support and cooperation.
Regards
Omran Mohamed
Dear Anthony,
Thank you for your reply
the SuperVPN.Andriod" signature is already there as you can see in the below screenshot
also here are the details for the policy id 115
config firewall policy
edit 115
set status enable
set name "users-to-internet"
set uuid 0a47b616-581d-51ed-8eaf-982f15b4d628
set srcintf "Z-INSIDE"
set dstintf "SD-WAN"
set action accept
set ztna-status disable
set srcaddr "PSAU-Users"
set dstaddr "all"
set internet-service disable
set internet-service-src disable
unset reputation-minimum
set internet-service6 disable
set internet-service6-src disable
unset reputation-minimum6
set rtp-nat disable
set schedule "always"
set schedule-timeout disable
set policy-expiry disable
set service "ALL"
set tos-mask 0x00
set anti-replay enable
set dynamic-shaping disable
set passive-wan-health-measurement disable
set utm-status enable
set inspection-mode proxy
set http-policy-redirect disable
set ssh-policy-redirect disable
set webproxy-profile ''
set profile-type single
set profile-protocol-options "default"
set ssl-ssh-profile "Custom-certificate-inspection"
set av-profile "g-default"
set webfilter-profile "WF-PSAU"
set dnsfilter-profile ''
set emailfilter-profile ''
set dlp-profile ''
set file-filter-profile ''
set ips-sensor "g-default"
set application-list "AC-PSAU"
set voip-profile ''
set ips-voip-filter ''
set sctp-filter-profile ''
set icap-profile ''
set videofilter-profile ''
set waf-profile ''
set ssh-filter-profile ''
set logtraffic all
set logtraffic-start enable
set auto-asic-offload enable
set np-acceleration enable
set webproxy-forward-server ''
set nat enable
set permit-any-host disable
set permit-stun-host disable
set fixedport disable
set ippool enable
set poolname "IPPOOL-AwalNet" "IPPOOL-SaudiNet" "IPPOOL-Mobily" "IPPOOL-STC" "IPPOOL-Mobily-II"
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set fec disable
set wccp disable
set disclaimer disable
set email-collect disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 1300
set tcp-mss-receiver 1300
set comments ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set srcaddr6-negate disable
set dstaddr-negate disable
set dstaddr6-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
next
end
