Unable to block proxy application using apps control

Aaron_Abrincia_Meimb · ‎09-19-2014

Hi Engineers, Can you help me because some of our users in our production are using proxy application that are downloadable in the internet. My question is that how can I prevent from accessing them or block they' re applications. This is the link where they download applications http://en.softonic.com/s/top-10-proxy-software Regards Aaron

Network Engineer

Christopher_McMullan · ‎09-19-2014

Aaron, You could block Proxy Avoidance as a FortiGuard webfilter category. You could also lock down your outgoing policies to only allow the basic network services, and deep scan those ports you allow: i.e., only allow NTP, DNS, HTTP, and HTTPS. Through feedback over time, you could determine any apps that need special ports open that you still allow.

Regards, Chris McMullan Fortinet Ottawa

Aaron_Abrincia_Meimb · ‎09-19-2014

Hi Christopher, I tried the proxy avoidance category in webfilter but still can' t block those applications. I didn' t yet tried to allow just the https,https and dns because our current setup is that the policy services is set to " all" so basically its allow all the services. Here is the scenario: Our users download an application to the internet and run them automatically in their desktop computers after that is that its automatically connect them such as youtube.com which is not allowed on our company.

Network Engineer

Dave_Hall · ‎09-20-2014

Hi Aaron. What Chris McMullan suggested in his post is sound advice and considered " best practise" . Crafting your firewall policies in such a way will make administrating easier. If you divide up your fw polices based on type of traffic, you can easily see via various logs where traffic is coming from/going to, what policies are being hit (via traffic count, which source IP is taken up most of the bandwidth, etc. (attached pic is a sample of a possible fw chain standard). In your case, it' s hard to tell without knowing how your firewall policies are setup, what UTM features are used, etc., how to go about blocking those proxy connections to youtube. You may need to resort to blocking or throttling those " bad user" connections until they behave themselves.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Aaron_Abrincia_Meimb · ‎09-20-2014

Thank you very much dave Attaching the screenshot of my firewall policies.

Is this enough to block those proxy applications? Is this OK that my destination is set to " ALL" ? and set my services to " HTTPS" " HTTP" " DNS" Regards Aaron

Network Engineer

Christopher_McMullan · ‎09-22-2014

For full protection, you would want to enable deep inspection on a webfilter profile and block Proxy Avoidance under the Potentially Liable section, and consider adding an application control sensor that blocks the Proxy category of applications. To allow certificates to continue working properly, you should also consider either allowing NTP as an additional service on your outbound policy, or configure the FortiGate as an NTP server in its own right, and only receive NTP updates on the FortiGate from the FortiGuard NTP pool.

Regards, Chris McMullan Fortinet Ottawa

Adrian_Buckley_FTNT · ‎09-23-2014

Many Proxy applications run over HTTP/HTTPS ports. The best way to figure out how to block a piece of software would be to make a breakout firewall policy for your PC. Then enable Full UTM inspection, to block nothing and log everything. After that install this proxy software and use it. Then look at the logs to see what shows up to find out if there' s anything you can block that wouldn' t cause a problem in your network.