- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blocking Open Proxy
I try to block open proxy by blocking Proxy Category in Application Control.
So far didn't success.
If someone had success blocking that, please share
Test: -search open proxy that using port 80 from [link]http://proxylist.hidemyass.com/[/link] -set Chrome using open proxy for example 107.167.21.243 port 80 -test whether can access www.playboy.com
FYI, PaloAlto can block open proxy and SoftEther, but can't block Opera Turbo or Psiphon3
REQUEST:
When FortiGate will have Opera Turbo Application Control
thanks
[link]https://nbctcp.wordpress.com[/link]
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please use this IPS signature and share results.
F-SBID(--name "Opera.Turbo.IPS"; --default_action drop_session; --service HTTP; --protocol tcp;--flow from_client;--pattern "X-Opera-Host:"; --no_case; --context header;)
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try the following custom application control signatures.
UDP Connections:
F-SBID( --protocol udp; --flow from_client; --src_port 10000:; --dst_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >16; --data_size <40; --tag set,softEther.UDP.tag; --app_cat 6; )
# please set this signature to 'Monitor'
F-SBID( --protocol udp; --flow from_server; --src_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >90; --data_size <350; --tag test,softEther.UDP.tag; --app_cat 6; )
# please set this signature to 'Reset'
TCP Connections (Please set the following custom signatures to block or reset):
F-SBID( --protocol tcp; --service SSL; --flow from_server; --pattern ".opengw.net"; --context host; --no_case; --app_cat 6; )
F-SBID( --protocol tcp; --seq =,1,relative; --service SSL; --flow from_client; --pattern "|16 03 01|"; --within 3,packet; --pattern "|01|"; --context packet; --distance 5,context; --within 1,context; --pattern "|00 00 6E|"; --context packet; --distance 37; --within 3; --pattern "|01 00|"; --context packet; --distance 110; --within 2; --pattern "|00 0f 00 01 01|"; --context packet; --distance 5,context,reverse; --within 5,context; --pcre "/[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}/"; --context host; --app_cat 6; )
F-SBID( --protocol tcp; --seq =,1,relative; --service SSL; --flow from_client; --pattern "|16 03 01|"; --within 3,packet; --pattern "|01|"; --context packet; --distance 5,context; --within 1,context; --pattern "|00 2a 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; --context packet; --distance 0; --pattern "|00 00|"; --context packet; --distance 0; --pattern "|00 00|"; --context packet; --distance 4; --pcre "/[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}/"; --context packet; --distance 15,context,reverse; --app_cat 6; )
There is a bug with UDP signatures having detection loss in certain unique cases like VPNGate. It is currently being analyzed and fixed by the engine team. We will update you when a patch is available. An alternative would be to try the custom signatures for UDP connections. There could be some false positive risks though.
Second Please create 2 IPS signature for UDP connection Below:
F-SBID( --protocol udp; --flow from_client; --default_action pass; --src_port 10000:; --dst_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >16; --data_size <40; --tag set,softEther.UDP.IPS.tag; )
F-SBID( --protocol udp; --flow from_server; --default_action drop_session; --src_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >90; --data_size <350; --tag test,softEther.UDP.IPS.tag; )
Please following my step it's working well at my place.
Please see attach image: for IPS signature
Best Regard,
Yin Buntha
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@yaba
With Opera Turbo ON, I can still access Internet.
What I want is, without Opera Turbo user can access Internet but can't if Opera Turbo on
STEPS TAKEN:
-create IPS signature OperaTurbo with ACTION BLOCK
-create policy with ACTION ACCEPT and IPS filter ON OperaTurbo
@Yin Buntha Your SoftEther solution is already working in another thread.
But in this thread I am asking how to block Opera Turbo and Open Proxy.
Or do you mean I can use SoftEther policy to block Opera Turbo?
If that the case, I can still bypass blocking using Opera Turbo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@magnumpi
Can you please share your policy for Opera Turbo and Open Proxy
Which one you successfully blocked
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Mikrotik I am using this filter
Mikrotik: /ip firewall address-list add address=12.12.12.0/24 list=LAN /ip firewall layer7-protocol add name=opera regexp="^.+(opera-mini.net).*\$" /ip firewall filter add action=drop chain=forward layer7-protocol=opera src-address-list=LAN Basically it will block anything going to opera-mini.net How to achieve that in Fortigate
FYI I am using Fortigate 5.4 Unlicensed in Unetlab
tq
