Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jessele
New Contributor

Created on ‎04-09-2013 08:50 PM

How to block P2P / BitTorrent Sites?

So I never thought of doing this before, but a employee has been downloading illegal movies from p**atebay. I was only made aware of this from my ISP sending a email on behalf of Twentieth Century Fox Anti-Privacy. Now I' m faced with fines :( So I have a few questions... What can I do to block BitTorrent sites? What can I find out whos doing it? THANKS IN ADVANCE!
14684
0 Kudos
13 REPLIES 13
Fullmoon
Contributor III

Created on ‎04-09-2013 10:10 PM

aside from using Web Filtering to block p2p web sites, Application Control is your best friend here. (pls see the attached file for reference) Don' t forget to add the Application Profile to your Firewall Policy you want to filter/block p2p.

Fortigate Newbie

Fortigate Newbie
9392
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-10-2013 02:44 AM

Twentieth Century Fox Anti-Privacy
..this is truly Freudian!
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
9393
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-10-2013 02:48 AM

Back to work: if you employ Application Control you will have a very effective protection against BT. I would add the ' sharehoster' category (Megaupload, Rapidshare etc.) if that is illegal in your country as well. Once in action and blocking (not monitoring!) the traffic in question, you will have the source IP in the logs. Assuming you are able to store logs locally. At a pinch, use an external syslog server until you get the culprit and have handed him the bill.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
9392
0 Kudos
rwpatterson
Valued Contributor III
In response to ede_pfau

Created on ‎04-10-2013 05:52 AM

If you have no way of scanning your PCs for the software(s) in question, you could look at the traffic logs (or realtime if you haven' t closed the ports yet). Most P2P software use ports above 1024 TCP and UDP. You' ll see one host in particular with more threads than the rest in this range. Good luck

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
9393
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎04-10-2013 06:24 AM

The dashboard widgets top sessions + Per-IP bandwidth will show you at a glance which device is soaking up the bandwidth. (At our sites there should be no reason for a device to be making some 200 to 500+ outside connections to different IP addresses on different ports.) We have a catch-all Firewall policy (last firewall policy in the list) with an application sensor that blocks P2P and all unknown Applications. (Firewall policies up in the chain have application sensors that open open the firewall to legit app traffic.)

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
9393
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-10-2013 06:31 AM

@Dave, I thought about your setup which occurs slightly unusual to me...the advantage you have is that you (could) get logs about illegitimate apps on your LAN. The downside is that the FGT has to scan and detect 100% of the traffic or traffic attempts. If you only wanted to keep your LAN clean then the implicit DENY policy can take care of ' all the rest' which would save you some ressources.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
9393
0 Kudos
jessele
New Contributor

Created on ‎04-10-2013 12:58 PM

Haha! thanks for catching my error Ede! Anti-Piracy :) so im just looking thru the forward traffic log and I see one IP address that stands out the most. IP address 192.168.33.102 going to the destination of 67.50.19.[12, 13, 14, 15, etc..) all in that range. That data show it going to the hostname of r2---sn-pouxbg2-2qme.c.youtube.com (and variations of it) src port: 33040 and varies to 60422 looking at the bytes per session it received 20mb to 248mb per sessions with ver shurt durations. It almost totals the size of the movie. (Life of Pie - 2.91gb) Could this be the culprit? or I' m reading this log incorrect. Thanks!
9393
0 Kudos
rwpatterson
Valued Contributor III
In response to jessele

Created on ‎04-10-2013 01:02 PM

Chances are you' re reading them, not quite correctly. The large volume is indicative of video downloading. You have a loafer in the midst perhaps, but that domain is legit (99% chance...). The P2P bandit would have high destination ports and the IP addresses wouldn' t resolve to anything for the most part (or Comcast, Verizon, Cablevision, etc. Some broadband provider IP network). I have to add, I' m not familiar with PirateBay. I don' t know if you download the entire flick in one shot in a short period of time.... Also, how do you know the name and size of the movie???

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
9393
0 Kudos
jessele
New Contributor

Created on ‎04-10-2013 01:14 PM

OK ill dig a little deeper and see what I get. How torrents work is they download from multiple people and glue them together I think ?!? The letter I received states the Movie that was downloaded. I googled the file size and sure enough.... the first link shows pirateb*y Life of Pie.
9393
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.