I was wondering if someone who has done this can help me out. I have a user that spends 40 weeks a year on the road, but when he is in the office he uses IPVanish to play games and torrent movies. I have the App Control set to block Proxy (and it does work - OpenVPN, Tor, etc. is blocked), but in the signatures IPVanish is not one of them. He has not been in the office for 3 weeks and he will not be for another 3 weeks. Is this something I need to wait until he is in the building or is there another way?
A better approach is to coach the user, not try and work around an issue with technology. Inform a manager and explain the risks involved. If they agree it’s against policy then they can issue a warning.
Spending time to defeat this with technology will likely result in the user trying to find other ways around the blocks and honestly, don’t you have other stuff you’d rather be doing?
I just created this script with some work. It will create all the address objects and add them to an address group called “Blocked Objects”. Feel free to edit, I just wanted to share what I used.
I tested it in a FortiManger script and pushed it to my 500E.
Our VPN service uses these ports for Firewall configuration:
For OpenVPN, we allow connections via TCP or UDP protocols on ports 443 or 1194. The IPVanish software uses port 443
Both PPTP and L2TP need the PPTP & L2TP pass-through options in the firewall/router’s management interface to be enabled (if applicable). Routers without these options may not support PPTP or L2TP traffic
To allow PPTP traffic, open TCP port 1723
To allow L2TP w/ IPSec traffic, open UDP ports 500, 1701 & 4500
Both IPSec and IKEv2 use UDP port 500
SSTP (Available via our windows client only) uses TCP port 443
If you block these ports from that machine id, he wouldn’t be able to connect to any of their VPN protocols. You should be able to proxy his port 443 requests and filter those to the level you like.
That would be super amazing except I work in a shit show where they try to make IT handle HR issues. Easier for me to just block it even though yes, I have about 100 other things I should be doing!
155… great. I appreciate it. Was hoping that it would not come to that. I have a weird role - my title is SysAdmin, however I write all infosec policies, monitor traffic, manage all of the local stuff, as well as our cloud environment (55 servers). I am one man shop here. This is a constant struggle.
Just publish the list in CIDR, one per line, and you could directly subscribe to it as a threat feed in 6.2. No script or config mods needed other than using the configured feed in your policy.
Obligatory XKCD when the word SysAdmin comes up: https://m.xkcd.com/705/ know the feeling(s)
But yes, do follow the other advice to get it written in policy, then, when things “break” when he gets back, you have a huge stick to wield… yes, you can do the blocking thing but remember they could add some extra network, then you need to update again
Ive been scared to make the jump to 6.2 so far, but I do not use SD-WAN so I think I would be ok. Unfortunately we do not have a lab for the Fortigate so I just back it up and hope for the best…
For the reason stated above I am also hesitant to just block them all because they could just switch hosts. Maybe if I block it now they will give up and wont try it later (lol).
They responded pretty quickly. They advised me to also block “ISAKMP” under Network Protocols in App Control. I will test Monday when the user is back in the office. If that doesn’t work I will just do what u/Computer_Dad_in_IT made for me - I was just trying to get a blanket block so I do not have to keep up with server changes.
I’ve also submitted a policy for review to our HR department so hopefully I do not have to waste my time with this stuff again…