Hello, guys how can we block this VPN client?
When we we use deep inspection it blocks the vpn but sees our email client (outlook) certificate as not secured.
It’s already blocked at the level of AP control (p2p cat) but users still uses it to bypass security policies.
You could exclude known traffic from the SSL inspection, using ISDB we exclude Azure and O365 from utm to prevent certificate problems
Is there is application profile you can use to block the traffic?
This has been an on-going challenge, not only with Fortinet but also other L7 Firewall vendors.If you’re not implementing SSL Inspection(Decryption) you’r very very dependent on how fast your Firewalls can update their signatures vs. updates on Psiphon
You can attempt to open a TAC case, in which usually, they’ll give you an custom signature or advise to wait for an update. Tbh it’d be better for you to either:
- Just wait for the update if you dont want to implement SSL inspection
- implement SSL Inspection(decryption) – but this involves installing/trusted the CA provided by FortiGate (this eliminates the error your users encounter when this is implemented
One thing you can do however, is strictly limit what outbound ports your users are allowed. Though yeah, psiphon CAN use HTTPS to connect to its server. In my experience, this is even a hit and miss.
I see 2 possible root causes here —
-
You are a school and users == students
-
You have a Layer 8 problem, HR needs to be involved, and users are either not asked to, or are violating the Acceptable Use Policies in their employment paperwork. You’re going to want to get that rectified, because you’ll need to prove it exists and has been signed for any compliancy audits, including those for cybersecurity insurance I would guess (not a lawyer or insurance broker, so haven’t looked into that, but only makes logical sense).
If (1), good luck. They have all day every day to worry about how to evade every defence. There are hundreds / thousands of them and one of you. You block psiphon, next someone will host a server themselves on mommy&daddys business internet at their house…
If (2), evading in-place company protections and installing non-sanctioned software on corporate machinery for the purpose of evading those protections, is a disciplinary offence and could be a resume-generating event for the perpetrator. This isn’t an IT problem once they are violating the AUP of the business.
but sees our email client (outlook) certificate as not secured.
What certificate are you using for Outlook?
I’ll chip in here.
Last I’ve tried making this work, we needed:
- Deep inspection, without exceptions
- If firewall policies aren’t restrictive in allowed ports (e.g. only HTTP/S, only DNS), then inspect-all-ports must be enabled in proxy/TLS inspection profiles
It was a true whack-a-mole of removing the otherwise reasonable exceptions.
Can you please share your ssl profile?
I’m not actively using any such setup nowadays.
Anyway, ensure that your profile has:
- no exceptions from inspection (“Exempt from SSL Inspection” section)
- is set to inspect all ports (“Inspect all ports” toggle)