Hello I currently do not use application control on Internet bound outgoing traffic but I do block outbound port 22 (SSH).
However, I dont think this will protect me if someone from within my LAN starts up an SSH reverse shell to the Internet using a non-standard port e.g. any port other than 22 that is allowed through the outbound policy.
Therefore I think it is essential to also use application control blocking 'SSH'
Would you guys agree with that ?
Hello, I think you should block it with IPv4 policy and block the ports that you use for SSH to the destination that you desired. SSH is not an Application per se, it works in TCP lvl so the best choice is to block it with an IPv4 Policy.
It worked for me.
Regards.
May also want to block alternate methods for proxying and/or ways that can be used to circumvent content filtering or other forms port access. If you do not need to access outside sites via non-standard ports, it may be best to lock those ports down and only open access to sites (and ports) your company/organization needs. It's not uncommon to see "bad players" setting up proxies and SSH tunnels through standard port 80, 443, 53 (both tcp and udp) , etc.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi tedauction
You can use IPS profile in order to block unwanted traffic related to reverse shell. https://fortiguard.com/search?q=reverse%20shell&type=ips&engine=1 Best Regards Panos
Can try the following option:
config application list
set enforce-default-app-port enable https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/66882/port-enforcement-check
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.