Fortinet black logo

Handbook

Blocking Windows XP

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:186145
Download PDF

Blocking Windows XP

In this example, you will use application control to block web traffic from PCs running Windows operating systems NT 5, including Windows XP and Windows Server 2003 (includes Windows virtual machines).

When a computer’s operating system lacks vendor support, it becomes a threat to the network because newly discovered exploits will not be patched. Using the FortiGate application control feature, you can restrict these computers from accessing external resources.

This example will only block web traffic from computers running the affected operating systems. If you wish to block these computers from being on the network entirely, further action will be necessary. However, the logs generated can be used to identify the computers you wish to block.

  1. Go to System > Feature Select. Enable Application Control and Apply your changes.
  2. Go to Security Profiles > Application Control and select View Application Signatures.
  3. Create a new signature with the syntax below. You can copy and paste the text into the Signature field. Name the signature Block-Windows-NT5.

    F-SBID(--attack_id 8055;--vuln_id 8055;--name "Windows.NT.5.Web.Surfing";--flow from_client;--pattern !"FCT";--pattern "Windows NT 5.";--no_case;--context header;--weight 40;--service HTTP;--protocol tcp;--app_cat 25;--default_action drop_session;)

    If you do not include keyword / value pairs for --attack_id or --vuln_ID in the signature, the FortiGate will automatically assign values.

    The signature will appear at the top of the application list and be listed in the Web.Client category.

  4. Go to Security Profiles > Application Control and edit the default policy.
  5. Under Application Overrides, select Add Signatures. The new signature should appear at the top of the list. If it does not, search for the signature’s name.
  6. Select the signature, then select Use Selected Signatures.
  7. Go to Policy & Objects > IPv4 Policy and edit the policy that allows connections from the internal network to the Internet.
  8. Under Security Profiles, turn on Application Control and use the default profile.

Results

When a PC running one of the affected operating systems attempts to connect to the Internet using a browser, a blocked message appears. Because Application Control uses flow-based inspection, if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the replacement message. However, Application Control will still function.

PCs running other operating systems, including later versions of Windows, are not affected.

Go to FortiView > All Sessions and select the 5 minutes view.

Filter the results to show sessions that were blocked.

You will see that the Application Control signature, shown in the Application Name column, was used to block traffic from PCs running older Windows versions.

Blocking Windows XP

In this example, you will use application control to block web traffic from PCs running Windows operating systems NT 5, including Windows XP and Windows Server 2003 (includes Windows virtual machines).

When a computer’s operating system lacks vendor support, it becomes a threat to the network because newly discovered exploits will not be patched. Using the FortiGate application control feature, you can restrict these computers from accessing external resources.

This example will only block web traffic from computers running the affected operating systems. If you wish to block these computers from being on the network entirely, further action will be necessary. However, the logs generated can be used to identify the computers you wish to block.

  1. Go to System > Feature Select. Enable Application Control and Apply your changes.
  2. Go to Security Profiles > Application Control and select View Application Signatures.
  3. Create a new signature with the syntax below. You can copy and paste the text into the Signature field. Name the signature Block-Windows-NT5.

    F-SBID(--attack_id 8055;--vuln_id 8055;--name "Windows.NT.5.Web.Surfing";--flow from_client;--pattern !"FCT";--pattern "Windows NT 5.";--no_case;--context header;--weight 40;--service HTTP;--protocol tcp;--app_cat 25;--default_action drop_session;)

    If you do not include keyword / value pairs for --attack_id or --vuln_ID in the signature, the FortiGate will automatically assign values.

    The signature will appear at the top of the application list and be listed in the Web.Client category.

  4. Go to Security Profiles > Application Control and edit the default policy.
  5. Under Application Overrides, select Add Signatures. The new signature should appear at the top of the list. If it does not, search for the signature’s name.
  6. Select the signature, then select Use Selected Signatures.
  7. Go to Policy & Objects > IPv4 Policy and edit the policy that allows connections from the internal network to the Internet.
  8. Under Security Profiles, turn on Application Control and use the default profile.

Results

When a PC running one of the affected operating systems attempts to connect to the Internet using a browser, a blocked message appears. Because Application Control uses flow-based inspection, if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the replacement message. However, Application Control will still function.

PCs running other operating systems, including later versions of Windows, are not affected.

Go to FortiView > All Sessions and select the 5 minutes view.

Filter the results to show sessions that were blocked.

You will see that the Application Control signature, shown in the Application Name column, was used to block traffic from PCs running older Windows versions.