Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- User Bypassing Application Control
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
User Bypassing Application Control
Hi,
I' m continuosly checking the Fortiview Sources section and I see a user who' s accesing some weird ip addresses from several countries, like he' s using some kind of proxy or P2P application not being detected by the Fortigate. Some of them are, for example, from hinet.net (China).
I' m setting up some geographic IP addresses and blocking them from IPv4 policy but they' re still appearing and with traffic.
I have a Fortigate 100D latest version, using Web Filtering and Application Control (P2P and Proxy are blocked).
Regards,
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m setting up some geographic IP addresses and blocking them from IPv4 policy but they' re still appearing and with traffic.Can we see your code/screenshot(s) on how you are actually doing this? Keep in mind that firewall policies are performed from top-to-bottom, so your blocking fw polic(ies) need to be place higher up in the firewall chain. Also keep in mind that any connections attempts directed at the Fortigate (IP) will not show up in normal firewall policies. If you are attempting to block geographic-based IPs to your fgt, you need to create a local-in-firewall policy.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you! You' re right, my policy order was wrong, I activated the " Count" column and they were all in 0 bytes. I then moved them to the top and now I see counters working.
I did it the GUI way, through Add Address - Geographic, selected country and then group them all in one IP Address Group. Then I added the LAN - WAN policy to block that IP group.
But I think this is like " sealing an old and broken water pipe" , I' m covering a fissure and suddenly another one appears.
I wonder if this user is using sort of proxy software or P2P, though they' re already blocked using the Application Control. I' m taking note of ports in order to see a pattern but now he' s using port 80 too. I can block IP' s from China, Taiwan, Korea, etc. but I' m not going to block IP' s from USA, Germany or Italy. Any tip?
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the extended ips db? It may recognize additional applications.
I understand you are not using AV (potential botnet connection blocking)?
Is there a business need to allow users (this user) to connect to unknown services (ports) - i.e. other than http, https, ftp, ... ?
Do you see a possibility to identify the user/PC and contact or visit him/her?
On the other hand, many CDNs are using geographically distributed servers for certain services, even AV software updates, but also applications like teamviewer and others...
can you provide some port numbers you have observed (and is it tcp or udp)?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I' m using the high-security profile of the IPS, where can I check for the extended IPS or is it the same? AV module is running with default profile too (I guess there' s no many settings I can modify in this module).
CDN would be possible, but if any of the other users were using the same servers, under port 80, with bandwith less than 70 mb in only one session and with info related to some domains and their owners, but this user in particular is using for example, ports 3395, 4941,4614,1348 and 2686.
It' s a good security practice to reduce access by protocol, I' ll try to do that change later at night, where nobody is connected. I have all devices identified with their username, we' d warn him but I think this is also a chance to learn to block and secure your network, that' s the only reason I feel thanked with this kind of users :lol:
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, for ips:
config ips global set database extended endYou said you are using the latest version (5.2.0?) Is your AV profile flow-based in default mode (flow-scan-mode full) and the checkbox for blocking botnet connections is enabled? If not yet enabled, you should use at least certificate inspection in your webfilter profile. The ports appear quite random but the switch-back to known ports may provide an advantage in your investigation. If this is a messaging application or otherwise a p2p, the user needs to log on to a certain site/domain/server before he can establish a direct connection to someone else. If this is an SSL secured service, certificate inspection may provide you the domain he initially attempts to log on to and this is the first place to stop him. Whitelisting application ports / services is always a good idea. If anything is not working on standard ports, it is not too complicated to add an unintentionally blocked application afterwards. You may of course also add a shared traffic shaper 1k/1k in/out to all unknown applications in your app profile. This automatically keeps many users from using certain applications.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, I' m using the latest version (5.2.0) and blocking botnet connections both in Application Control and AV module.
I was using certificate-inspection but caused my users to constantly get errors in some https websites, so I decided to disable it (monitor).
I changed my policies to only allow known and authorised protocols to my users, I' ll monitor this change during today and check if those weird connections are then blocked.
Regards,
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Reconnaissance block - why? 110 Views
- Azure Front Door on-premis Fortigate 219 Views
- Cannot send media in Viber 123 Views
- How to log SSH Version and... 249 Views
- SSL VPN WITH ZTNA 224 Views
Labels
-
FortiGate
8,428 -
FortiClient
1,701 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
542 -
FortiSwitch
456 -
FortiAP
456 -
6.0
416 -
FortiClient EMS
404 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
211 -
FortiWeb
198 -
5.0
196 -
IPsec
183 -
FortiNAC
175 -
FortiGuard
134 -
6.4
128 -
SD-WAN
109 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
51 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
BGP
38 -
DNS
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1645 | |
| 1070 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.