Any one in support team of fortinet please check and reply

FWIW: That  fwpolicy will only work if the  protocols are matched and you can change the port and services used by the client. I'm curious have anybody blocked this via any new fortiOS release and how will does application identification for this service compare to PaloAlto AppID?

Dear Irfan,

i have tried what you recommended but its still not working. any other solution ?

Hi,

SoftEther VPN uses HTTPS protocol in order to establish a VPN tunnel. HTTPS (HTTP over SSL) protocol uses the 443 of TCP/IP port as destination. This port is well-know and almost all firewalls, proxy servers and NATs can pass the packet which are consisted in HTTPS protocol. 

1. Go to Policies & objects > SSL/SSH Inpection > select your profile > Enable full ssl inspection.  This ssl profile uses deep inspection. End users will likely see certificate warnings unless the certificate is installed in their browser.

2. In your Application sensor add signature "SoftEther" and set action to "reset". 

-Irfan Pathan

@Pathan

Have you try yourself blocking SoftEther vpngate.

I already tried many ways but still can go through

Here my settings

1. Application Control/P2P Block or Reset

NOTE: P2P include SoftEther

2. Policy & Objects/Policy/IPv4/P2P

SSL/SSH Inspection: deep inspection ON

3. I also try block Service/Tunneling in your other post.

But still not success

FortiNet, I still can bypass your firewall either using SoftEther or Open Proxy.

For Open Proxy, I'll post in other thread

Please do something.

PaloAlto can block successfully SoftEther

I'll also try Cyberoam today

[link]https://nbctcp.wordpress.com/[/link]

Hi!!

You should following this instruction:

You can try the following custom application control signatures. 

UDP Connections:

F-SBID( --protocol udp; --flow from_client; --src_port 10000:; --dst_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >16; --data_size <40; --tag set,softEther.UDP.tag; --app_cat 6; )
# please set this signature to 'Monitor'

F-SBID( --protocol udp; --flow from_server; --src_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >90; --data_size <350; --tag test,softEther.UDP.tag; --app_cat 6; )
# please set this signature to 'Reset'

TCP Connections (Please set the following custom signatures to block or reset):

F-SBID( --protocol tcp; --service SSL; --flow from_server; --pattern ".opengw.net"; --context host; --no_case; --app_cat 6; )

F-SBID( --protocol tcp; --seq =,1,relative; --service SSL; --flow from_client; --pattern "|16 03 01|"; --within 3,packet; --pattern "|01|"; --context packet; --distance 5,context; --within 1,context; --pattern "|00 00 6E|"; --context packet; --distance 37; --within 3; --pattern "|01 00|"; --context packet; --distance 110; --within 2; --pattern "|00 0f 00 01 01|"; --context packet; --distance 5,context,reverse; --within 5,context; --pcre "/[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}/"; --context host; --app_cat 6; )

F-SBID( --protocol tcp; --seq =,1,relative; --service SSL; --flow from_client; --pattern "|16 03 01|"; --within 3,packet; --pattern "|01|"; --context packet; --distance 5,context; --within 1,context; --pattern "|00 2a 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; --context packet; --distance 0; --pattern "|00 00|"; --context packet; --distance 0; --pattern "|00 00|"; --context packet; --distance 4; --pcre "/[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}/"; --context packet; --distance 15,context,reverse; --app_cat 6; ) 

There is a bug with UDP signatures having detection loss in certain unique cases like VPNGate. It is currently being analyzed and fixed by the engine team. We will update you when a patch is available. An alternative would be to try the custom signatures for UDP connections. There could be some false positive risks though.