I try to block open proxy by blocking Proxy Category in Application Control.
So far didn't success.
If someone had success blocking that, please share
Test: -search open proxy that using port 80 from [link]http://proxylist.hidemyass.com/[/link] -set Chrome using open proxy for example 107.167.21.243 port 80 -test whether can access www.playboy.com
FYI, PaloAlto can block open proxy and SoftEther, but can't block Opera Turbo or Psiphon3
REQUEST:
When FortiGate will have Opera Turbo Application Control
thanks
[link]https://nbctcp.wordpress.com[/link]
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
please use this IPS signature and share results.
F-SBID(--name "Opera.Turbo.IPS"; --default_action drop_session; --service HTTP; --protocol tcp;--flow from_client;--pattern "X-Opera-Host:"; --no_case; --context header;)
You can try the following custom application control signatures.
UDP Connections:
F-SBID( --protocol udp; --flow from_client; --src_port 10000:; --dst_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >16; --data_size <40; --tag set,softEther.UDP.tag; --app_cat 6; )
# please set this signature to 'Monitor'
F-SBID( --protocol udp; --flow from_server; --src_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >90; --data_size <350; --tag test,softEther.UDP.tag; --app_cat 6; )
# please set this signature to 'Reset'
TCP Connections (Please set the following custom signatures to block or reset):
F-SBID( --protocol tcp; --service SSL; --flow from_server; --pattern ".opengw.net"; --context host; --no_case; --app_cat 6; )
F-SBID( --protocol tcp; --seq =,1,relative; --service SSL; --flow from_client; --pattern "|16 03 01|"; --within 3,packet; --pattern "|01|"; --context packet; --distance 5,context; --within 1,context; --pattern "|00 00 6E|"; --context packet; --distance 37; --within 3; --pattern "|01 00|"; --context packet; --distance 110; --within 2; --pattern "|00 0f 00 01 01|"; --context packet; --distance 5,context,reverse; --within 5,context; --pcre "/[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}/"; --context host; --app_cat 6; )
F-SBID( --protocol tcp; --seq =,1,relative; --service SSL; --flow from_client; --pattern "|16 03 01|"; --within 3,packet; --pattern "|01|"; --context packet; --distance 5,context; --within 1,context; --pattern "|00 2a 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; --context packet; --distance 0; --pattern "|00 00|"; --context packet; --distance 0; --pattern "|00 00|"; --context packet; --distance 4; --pcre "/[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}/"; --context packet; --distance 15,context,reverse; --app_cat 6; )
There is a bug with UDP signatures having detection loss in certain unique cases like VPNGate. It is currently being analyzed and fixed by the engine team. We will update you when a patch is available. An alternative would be to try the custom signatures for UDP connections. There could be some false positive risks though.
Second Please create 2 IPS signature for UDP connection Below:
F-SBID( --protocol udp; --flow from_client; --default_action pass; --src_port 10000:; --dst_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >16; --data_size <40; --tag set,softEther.UDP.IPS.tag; )
F-SBID( --protocol udp; --flow from_server; --default_action drop_session; --src_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >90; --data_size <350; --tag test,softEther.UDP.IPS.tag; )
Please following my step it's working well at my place.
Please see attach image: for IPS signature
Best Regard,
Yin Buntha
@yaba
With Opera Turbo ON, I can still access Internet.
What I want is, without Opera Turbo user can access Internet but can't if Opera Turbo on
STEPS TAKEN:
-create IPS signature OperaTurbo with ACTION BLOCK
-create policy with ACTION ACCEPT and IPS filter ON OperaTurbo
@Yin Buntha Your SoftEther solution is already working in another thread.
But in this thread I am asking how to block Opera Turbo and Open Proxy.
Or do you mean I can use SoftEther policy to block Opera Turbo?
If that the case, I can still bypass blocking using Opera Turbo
@magnumpi
Can you please share your policy for Opera Turbo and Open Proxy
Which one you successfully blocked
In Mikrotik I am using this filter
Mikrotik: /ip firewall address-list add address=12.12.12.0/24 list=LAN /ip firewall layer7-protocol add name=opera regexp="^.+(opera-mini.net).*\$" /ip firewall filter add action=drop chain=forward layer7-protocol=opera src-address-list=LAN Basically it will block anything going to opera-mini.net How to achieve that in Fortigate
FYI I am using Fortigate 5.4 Unlicensed in Unetlab
tq
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.