Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

How Do I Prevent My End Users From Using VPN

As in they are not supposed to install and use third party VPN.

Only allow own firewall VPN connections. 


Hi there,

There are 2 requirements i can see here:

1. Block install VPN application on the PC level

2. Allow own firewall VPN connection << What do you mean by this?


For number 1, This should be block by endpoint control like Forticlient.

For number 2, Are you referring to Forticlient or IPSEC VPN on the Fortigate itself?




Isnt forticlient a VPN client? How does it prevent users from installing another VPN client?


For number 2, allow own firewall vpn connection, I mean the firewall and SSL and ipsec vpn configured. 

Endusers should only use these VPNs and not that of third parties.

Is there any way to prevent this? 


Hi there,

Free Forticlient only support VPN features. For full endpoint control to manage your PC, this required paid version.


To block VPN, Proxy traffic in your network, you may use Application control.
This is a good sharing from our fan: (Note: This is external link for your reference)
You can block the category instead of specific application.

New Contributor


FortiGate can't block an endpoint from installing VPN software. It's a firewall/router/etc. not an endpoint agent doing compliance enforcement. At best you may try to block access to known websites that offer VPN software downloads (or block VPN-related keywords with webfilter), but that is a fool's errand since these installers can be served from any arbitrary server. You'll never catch them all. (and a laptop user could just download one when not connected through your FortiGate anyway)


What you could do is try to block VPN usage with Application Control. You could start by blocking the "Proxy" category (covers all VPN-related signatures), and then tweak further. Keep in mind that you may need to enable deep SSL inspection on everything if you need to be thorough in blocking. (this may become very taxing on the FortiGate performance, depending on the model and total throughput)


Ultimately, in my personal opinion, you'll achieve the best results by enforcing tighter control on the endpoints themselves - by blocking users from installing arbitrary applications, using some endpoint enforcement/protection software, etc.

[ corrections always welcome ]

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors