- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blocking FortiClient Application
Hi,
How do we block FortiClient via Application Control?
I tried to work on this using this KB: Block a specific VPN application by using... - Fortinet Community
But I am still seeing traffic from our FortiClient users, but Application is tagged as 'SSL_TLSv1.3'.
I hope you can share how to block FortiClient via Application Control effectively, and why is 'SSL_TLSv1.3' reflecting in the logs?
Thank you!
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I selected only the FortiClient signature. Please let me know what else is needed to be blocked in the Appctrl signature list. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What specific activity of FortiClient's (there's a variety of "stuff" it can do) you're trying to block?
The existing "FortiClient" appctrl signature only aims to match update/managament traffic to FGT/FMG/EMS. Its aim is not to match the VPN functionality.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We trying to block the Application FortiClient in our network, but end users are still able to connect and use FortiClient. We wanted it blocked.
Since FortiClient appctrl only aims to match update and management traffic, hope you can advise which app control signatures should be added in the block list.
Thank you in advance!
Created on ‎07-18-2024 12:02 AM Edited on ‎07-18-2024 12:02 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe there are builtin signatures for this.
When looking at the packets (SSL-VPN) without decryption, it looks like generic TLS, so you would need the following to identify and block FortiClient VPN:
1, Apply deep inspection to the traffic
2, Detect and block a known pattern inside the decrypted payload (webmode does a HTTP GET request for /remote/login, tunnel checks for /remote/info). This could be created as a custom ipsengine signature and added as a custom app.
Depending on how much you can narrow down your search, this may need to be applied to any port and any IP, not very convenient.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
- Are you having access of the firewall which is acting as the SSL VPN gateway or you are trying to block the communication in a passthrough fortigate?
- If you are trying to block the communication in a passthrough fortigate then you can create a custom signature or block using URL filter as well. If your forticlient is having the remote gateway as a FQDN then usually forticlient will send the SNI in the SSL handshake. We can block this communication by creating a custom signature too.
Regards,
Shiva
