Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mac5
New Contributor

VPN/Proxy apps blocking

Hello,

I work as a system/server admin at a company that has many branches around the world, which means that most employees are using vpn connections for work purposes.

 

My problem is some employees are using proxy/vpn mobile apps to access social media sites (like youtube and facebook), and im unable to block these connections since I will be blocking all the vpn connections (tunneling) for all employees, also I cannot block their ips since I done know which ip belongs to which user.

 

I hope you can help me in going around this issue because its causing alot of problems considering the limited bandwidth that we have.

 

P.S I am new at this job and still learning about firewall and stuff, so if you are going to answer please be specific :) 

 

Thanks

1 Solution
netmin
Contributor II

Hi @mac5,

 

a good start is the document 'library' here: http://docs.fortinet.com/

 

I would suggest to get hold of a spare Fortigate device (or download the trial VM from the support portal) and start testing whatever you would like to implement on your corporate devices later on.

 

Just take a look at your Fortigate device options and there exist multiple options, i.e. geographic addresses, application filters and website category filters which can be used separately or together in your firewall policies.

 

...and - be aware that when you enable split tunneling on a VPN connection (because this is what may allow traffic to bypass the VPN tunnel) your policies might not apply to some of the traffic ...

View solution in original post

5 REPLIES 5
netmin
Contributor II

Hi @mac5,

 

a good start is the document 'library' here: http://docs.fortinet.com/

 

I would suggest to get hold of a spare Fortigate device (or download the trial VM from the support portal) and start testing whatever you would like to implement on your corporate devices later on.

 

Just take a look at your Fortigate device options and there exist multiple options, i.e. geographic addresses, application filters and website category filters which can be used separately or together in your firewall policies.

 

...and - be aware that when you enable split tunneling on a VPN connection (because this is what may allow traffic to bypass the VPN tunnel) your policies might not apply to some of the traffic ...

mac5
New Contributor

hi @zhunissov4, thanks for replying. 

to answer your questions : 

1,2) I think most of the branches of not all use the fortigate c300, Im only responsible for the firewall in my branch which is the hq branch.

3) SSL

 

can you please give me a link on how to do the split tunneling ?

mac5
New Contributor

@zhunissov4 thanks for baring with me this long :).

you answered half my question :) , but misunderstood me on the other half.

I want people to be able to access the internet while connected through the vpn, what I wanna do is to only block the vpn/proxy avoidance apps, which allow the user to go around his policy on the firewall and get access to whatever he wants.

ede_pfau
Esteemed Contributor III

You've got the answer already: if the default route (0.0.0.0/0) points to the tunnel, ALL and EVERY traffic is routed to the HQ where you can inspect/filter/block it as you like. The means to do this is called 'split tunneling' - if you disable s-t, all traffic is going to the SSLVPN server / HQ.

 

You can check this behavior by looking at the routing table on the client running FortiClient SSL ('route print').

 

I would recommend not using the SSLVPN portal  but SSLVPN tunnel mode, just to support any traffic. The portal uses several proxies for HTTP, HTTPS etc. but will not support custom services (like VNC, ping,...).

 

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Macsous

@mac5 ( [<font][<font] I want people to be able to access the internet while they are connected via VPN, what I want to do is not that VPN / proxy evolution applications, which make it easier to use the policy on the app. -fire. ) post-word how your answer to this question I have the same problem as you. Thank you for answering me

Labels
Top Kudoed Authors