Hot!VPN Blocking Best Practice

New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/26 16:21:20
  • Status: offline
2017/03/10 10:20:28 (permalink)

VPN Blocking Best Practice

We are currently working through blocking VPN's on our FortiGate 600D.  It seems like we are spinning our wheels trying to chase down individual VPNs that our students are using to circumvent our security measures.  How are you all handling the blocking of mobile device VPNs at a macro level?  It doesn't seem feasible to chase down, block and test the hundreds of VPNs that are currently available.
Thanks for your input.

2 Replies Related Threads

    Expert Member
    • Total Posts : 228
    • Scores: 49
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: VPN Blocking Best Practice 2017/03/10 11:19:15 (permalink)
    Hello zwilson50,
    To block the VPNs, please set the category "Proxy" and the signatures "PPTP", "L2TP" and "ISAKMP" to Block. That should block most if not all the VPNs you can find.
    As to how we try to cover all the VPNs, from our research, 80-90% of the common VPNs in the market use some forms of the OpenVPN protocol that our "OpenVPN" signature would block. For those that do not use the OpenVPN protocol, many share the same servers or API calls. This signature works for most of Android and Windows VPNs.
    For iOS VPNs, because of strict restrictions by Apple that VPNs need to use PPTP, L2TP or IPSec (we name the signature ISAKMP), blocking those 3 signatures would block most of the VPNs on iOS.
    The remaining VPNs that are not covered by the signatures above are covered by the other signatures in our Proxy category. We have our tools that monitor when these apps are updated and we update our signatures accordingly. We give special priority to certain very evasive VPNs like Ultrasurf, Psiphon, Hotspot Shield, Freegate, etc because they employ very complicated protocols to bypass firewalls.
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/13 10:30:22
    • Status: offline
    Re: VPN Blocking Best Practice 2019/07/11 14:46:28 (permalink)
    I have a similar problem, but I'm trying to block VPN clients that use SSL-TLS. What's the best way of doing this? We can't block SSL-TLS totally since it is used by browsers, etc.
    Jump to:
    © 2020 APG vNext Commercial Version 5.5