Description
This article describes how to block the Windows XP and Windows server 2003 traffic via the firewall to internet.
Solution
Diagram.
When a computer’s operating system lacks vendor support, it becomes a threat to the network because newly discovered exploits will not be patched.
Using the FortiGate application control feature, restrict these computers from accessing external resources is possible.
This recipe will only block web traffic from computers running the designated operating systems.
If blocking these computers from being on the network entirely is desired, further action will be necessary.
However, the logs generated by this recipe can be used to identify the computers to block.
1) Enabling 'Application Control'.
1) Enabling 'Application Control'.
Go to System -> Feature Select.
Under 'Security Features', enable 'Application Control'.
2) Creating a custom application signature.
Go to Security Profiles -> Application Control and select 'View Application Signatures' in the upper right-hand corner.
Go to Security Profiles -> Application Control and select 'View Application Signatures' in the upper right-hand corner.
Create a new signature with the syntax presented here.
Copy and paste this text into the Signature field.
Copy and paste this text into the Signature field.
F-SBID(--attack_id 8151; --vuln_id 8151; --name "Windows.NT.5.Web.Surfing"; --default_action drop_session; --service HTTP; --protocol tcp; --app_cat 25; --flow from_client; --pattern !"FCT"; --pattern "Windows NT 5.1"; --no_case; --context header; --weight 40; )The signature will appear at the top of the application list in the Web.Client category.
3) Adding the signature to the default Application Control profile.
Go to Security Profiles -> Application Control and edit the default policy.
Under 'Application Overrides', select 'Add Signatures'.
Go to Security Profiles -> Application Control and edit the default policy.
Under 'Application Overrides', select 'Add Signatures'.
The new signature appears at the top of the list.
If it does not, search for the signature’s name (in the example, block-windows-nt5).
Select the signature, then select 'Use Selected Signatures' at the bottom of the page.
Select the signature, then select 'Use Selected Signatures' at the bottom of the page.
4) Adding the default profile to a security policy.
Go to Policy & Objects -> IPv4 Policy and edit the policy that allows connections from the internal network to the internet.
Under 'Security Profiles', enable 'Application Control' and use the default profile.
Go to Policy & Objects -> IPv4 Policy and edit the policy that allows connections from the internal network to the internet.
Under 'Security Profiles', enable 'Application Control' and use the default profile.
Result.
When a PC running one of the affected operating systems attempts to connect to the internet using a browser, a replacement message appears.
When a PC running one of the affected operating systems attempts to connect to the internet using a browser, a replacement message appears.
Because 'Application Control' uses flow-based inspection, applying an additional security profile to the traffic that is proxy-based, the connection will simply timeout rather than display the replacement message.
However, 'Application Contro'l will still function.
PCs running other operating systems, including later versions of Windows, are not affected.
PCs running other operating systems, including later versions of Windows, are not affected.
Go to Log & Report -> Forward Traffic. Filter the results to show denied traffic.
The application control signature, Windows.NT.5.Web.Surfing, appears in the application column and was used to block traffic from PCs running Windows XP (device writer-0735721d).
The application control signature, Windows.NT.5.Web.Surfing, appears in the application column and was used to block traffic from PCs running Windows XP (device writer-0735721d).
