HOW To Block Outgoing VPN Access ?
Freshman Member
I need to prevent the ability of visitors who connect laptops or Smartphones into the network and access the Internet via VPN client software. I can block regular web browsing through Content FIltering and App Patrol, but it does not block users who initiate VPN sessions from inside the network to access Unauthorized websites.
Best Answers
-
Zyxel_Stanley
Thanks for your reply.
But must of the users who are bypassing my securities (APP control & Content filtering) with VPN Apps, are using smartphones.
And these users are eating the internet bandwidth by streaming or by downloading videos etc....
My next questions are the followings:
1- How do I identify the VPN app they are using on their smartphones from the USG?
2- How do I block the following VPN ports on the USG?
AH(51), ESP(50), IKE(500), NATT(4500), PPTP(1723), PPTP tunnel(47), OpenVPN(1194)
0 -
Hi @vfm_IT
In App Patrol function, there are some well-known VPN software are defined as “tunneling and proxy services” category.
You can block VPN software by this category.
Go to Configuration > Object > Application > And click “Add” button to create a APP Patrol object and add “tunneling and proxy services” as member.
Go to Configuration > UTM profile > APP Patrol > Click “Add” button to add a APP Patrol object. And select object which we added before.
Then Go to Configuration > Security policy > Policy control > Click Add button to block it by APP Patrol rule.
For blocking the VPN ports.
You can group the ports as an object, and block the traffic from LAN to WAN.
After these steps is able block almost VPN software traffic from LAN to WAN.
5
Zyxel Employee
All Replies
-
Hi @vfm_IT
There are regular VPN ports, you can block them from LAN to WAN first:
AH(51), ESP(50), IKE(500), NATT(4500), PPTP(1723), PPTP tunnel(47), OpenVPN(1194)
But due to there are many different VPN software, so will use different protocols and port numbers.
You have to know which software is working on client PC first, and then block the traffic which initial from LAN to WAN.
0 -
Zyxel_Stanley
Thanks for your reply.
But must of the users who are bypassing my securities (APP control & Content filtering) with VPN Apps, are using smartphones.
And these users are eating the internet bandwidth by streaming or by downloading videos etc....
My next questions are the followings:
1- How do I identify the VPN app they are using on their smartphones from the USG?
2- How do I block the following VPN ports on the USG?
AH(51), ESP(50), IKE(500), NATT(4500), PPTP(1723), PPTP tunnel(47), OpenVPN(1194)
0 -
Hi @vfm_IT
In App Patrol function, there are some well-known VPN software are defined as “tunneling and proxy services” category.
You can block VPN software by this category.
Go to Configuration > Object > Application > And click “Add” button to create a APP Patrol object and add “tunneling and proxy services” as member.
Go to Configuration > UTM profile > APP Patrol > Click “Add” button to add a APP Patrol object. And select object which we added before.
Then Go to Configuration > Security policy > Policy control > Click Add button to block it by APP Patrol rule.
For blocking the VPN ports.
You can group the ports as an object, and block the traffic from LAN to WAN.
After these steps is able block almost VPN software traffic from LAN to WAN.
5 -
Zyxel_Stanley
Many thanks for your advise and support.0
Categories
- All Categories
- 398 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 52 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 63 Security Highlight
