- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPS Signature to block DNS registration?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPS Signature to block DNS registration?
Ahoy,
So we're deploying an IPSec dialup design using Forticlient and one of the slightly irritating issues I have found is that when it connects not only does the Forticlient virtual adapter's IP address register on our AD domain DNS servers, but so does the physical LAN/WLAN adapter on the client itself. We end up with 2 IPs with a 50-50 chance of DNS resolving to the right one when required, and if you get the wrong one you can't reach the client as the IP address doesn't exist in our routing table, or more worryingly (if they are a nerd and have re-done their home LAN) a duplicate IP for something on our range....
Spoke to our SE and he asked around and apparently it isn't possible to stop it out of the box, it is possible to script it on the client (run script to first disable DNS reg on local adapter, then script launches VPN, user does their task and then runs a second script to disconnect the VPN and turn on DNS registration again), but that's messy. Looking at it, what happens is that when you connect to the VPN the FC overwrites the DNS server addresses on your local adapter with the ones you specify in the config, these also are applied to the virtual adapter. If they were to modify the design and set the metric on the adapter to something like 1 rather than 20, it would most likely be lower than the LAN's default 10 (unless changed by you), then also remove the feature that overwirtes the DNS servers on the LAN adapter. This would mean that the FC virtual adapter would be the first one used, all DNS would go down the tunnel granted, but splitt tunnelling would deal with traffic and its stop 2 IPs being registered.
Anyway, on to the actual idea he gave me: using a custom IPS signature to block DNS from the LAN adapter over the VPN tunnel but not the virtual adapter. I think this would do it:
set signature "F-SBID( --name "IPSec-Client.DNS-Block"; --service DNS; --src_addr ![10.220.0.0/16,10.221.0.0/16];
however, that's a bit heavy handed - does anyone know if it is possible to use IPS to block the packets that are involved in registering an adapter's IP in DNS? i.e. using the UDP Header options to identify the specific packet and then have the IPS sig trigger a block? Problem is i can't find info on what part of the packet specifically it is and even if I could I can't see how to add it to the sig i have made...
Any ideas peeps?
Ta
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update - that IPS sig doesn't work as the traffic is coming in on the IPSec virtual interface with an IP in the ranges excluded (10.220.0.0/16 & 10.221.0.0/16).
Seems we'd need something that could read the contents of the UDP packets to find the IP address it mentions and block it if not in that range.... sounds a bit pie in the sky....
Related Posts
- HTTP header injection 379 Views
- How to create custom ips signature... 333 Views
- IPS in Fortigate Evaluation VM 362 Views
- Microsoft Update Secure Server CA 2.1... 1123 Views
- Fortiweb:Parameter mensaje in log-attack-attack-view 375 Views
Labels
-
FortiGate
6,771 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
581 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
347 -
FortiClient EMS
274 -
FortiMail
264 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
162 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
SSL-VPN
70 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
23 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
LDAP
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.