How on Palo Alto do I allow the FortiClient VPN to connect?
What is the APP ID etc.
Reason: Company I work for uses Palo Alto, but we split and the new company forming is a spinoff, and they use Fortinet Firewalls and Fortinet VPN. We have a few WAN locations they did NOT migrate to their network in the appropriate timeframe. We got approval to block all Internal WAN traffic on our Palo Alto, but we want to allow them their VPN only to help push them off our network.
Thanks
You’ll need to research this yourself. The way I go about it is 2-fold.
Create a Layer-4 access rule with the source/destination and port(s).
Monitor the “apps detected” for the Layer-4 rule in #1.
Create a app-id rule above the Layer-4 rule with the required app-id’s.
Monitor.
I would do just that, but I don’t know what the IP they are connecting to for their firewall is etc. Makes it hard to track it down. Perhaps I will just give them Internet or look for IPSec and similar such standard VPN protocols.
Then access is not given, at all. Until you have a least 2 pieces of information, mainly source and destination, then nothing happens.
If they can’t or won’t give you the information, fk 'em.
Access is never given as a last resort because someone is lazy or doesn’t know how to do their job.
FortiClient support both SSL and IPsec. If they. Using URL filtering profile set to alert you can collect the FQDNs and SNIs they are attempting to connect. You could later try to search in url logs to figure out their vpn - if they are using ssl vpn
If the are using IPsec, then you can just create separe rule matching ipsec and ike apps, then check what destination addresses are matching and potentially tighten the rule based on that
Well that is the issue. Before forming this spinoff, they were a part of the network. Right now they have the same internal access as the company itself. … This isn’t about not giving access but rather pulling back access. I would like to lock them down to where they get nothing but access to their own VPN until they can do their own network.
Back to your question. App ID are signatures very similar to IPS signatures, but instead of detecting exploit attemps they are identifying the traffic.
This page allows you to check for existing predefined app signature https://applipedia.paloaltonetworks.com/
Unfortunately there is nothing for forticlient vpn (there is forticlient-update but this seems totally different)
If go to palo fw gui and try to create custom app signature you can see what “attributes” fw can use to identify the traffic.
I don’t think when forticlient establishs vpn to send any data that can uniquely identify this traffic as sent from forticlient. Maybe if it is using SSL the initial login url will give some info, but as far as i remember it wasn’t completely obvious.
So back to previous suggestions - either with url filter or fw rule matching ipsec try to identify their vpn gateway. If you eager to learn and experiment, you can try to set capture and try to capture som traffic. Based on tha you can try to create custom app. For SSL vpn should be easy, you can match the sni, but for the ipsec … i am not sure