Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
heyyo
Contributor

Created on ‎07-15-2024 03:20 PM

Blocking FortiClient Application

Hi,

 

How do we block FortiClient via Application Control?

I tried to work on this using this KB: Block a specific VPN application by using... - Fortinet Community

But I am still seeing traffic from our FortiClient users, but Application is tagged as 'SSL_TLSv1.3'.

 

I hope you can share how to block FortiClient via Application Control effectively, and why is 'SSL_TLSv1.3' reflecting in the logs?

 

Thank you!

Labels:
1181
0 Kudos
6 REPLIES 6
dbhavsar
Staff
Staff

Created on ‎07-16-2024 05:35 AM

Hello @heyyo ,

 

- Just to confirm have you selected FortiClient in the signature and blocked it?

DNB
1138
heyyo
Contributor
In response to dbhavsar

Created on ‎07-16-2024 03:41 PM

Yes, I selected only the FortiClient signature. Please let me know what else is needed to be blocked in the Appctrl signature list. Thanks!

1092
0 Kudos
pminarik
Staff
Staff

Created on ‎07-16-2024 06:08 AM

What specific activity of FortiClient's (there's a variety of "stuff" it can do) you're trying to block?

 

The existing "FortiClient" appctrl signature only aims to match update/managament traffic to FGT/FMG/EMS. Its aim is not to match the VPN functionality.

[ corrections always welcome ]
1130
heyyo
Contributor
In response to pminarik

Created on ‎07-16-2024 03:40 PM

We trying to block the Application FortiClient in our network, but end users are still able to connect and use FortiClient. We wanted it blocked.

 

Since FortiClient appctrl only aims to match update and management traffic, hope you can advise which app control signatures should be added in the block list. 

 

Thank you in advance!

1094
0 Kudos
pminarik
Staff
Staff
In response to heyyo

Created on ‎07-18-2024 12:02 AM Edited on ‎07-18-2024 12:02 AM

I don't believe there are builtin signatures for this.

 

When looking at the packets (SSL-VPN) without decryption, it looks like generic TLS, so you would need the following to identify and block FortiClient VPN:

1, Apply deep inspection to the traffic

2, Detect and block a known pattern inside the decrypted payload (webmode does a HTTP GET request for /remote/login, tunnel checks for /remote/info). This could be created as a custom ipsengine signature and added as a custom app.

 

Depending on how much you can narrow down your search, this may need to be applied to any port and any IP, not very convenient.

[ corrections always welcome ]
1012
smaruvala
Staff
Staff

Created on ‎07-18-2024 01:22 AM

Hi,

 

- Are you having access of the firewall which is acting as the SSL VPN gateway or you are trying to block the communication in a passthrough fortigate?

- If you are trying to block the communication in a passthrough fortigate then you can create a custom signature or block using URL filter as well. If your forticlient is having the remote gateway as a FQDN then usually forticlient will send the SNI in the SSL handshake. We can block this communication by creating a custom signature too.

 

Regards,

Shiva

 

997
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.