Blocking Windows XP traffic

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will use application control to block web traffic from PCs running Windows operating systems that NT 5, including Windows XP and Windows Server 2003 (includes Windows virtual machines).

When a computer’s operating system lacks vendor support, it becomes a threat to the network because newly discovered exploits will not be patched. Using the FortiGate application control feature, you can restrict these computers from accessing external resources.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling Application Control

Go to System > Config > Features. Enable Application Control and Apply your changes.  

2. Creating a custom application control signature

Go to Security Profiles >  Application Control and select View Application Signatures.

Create a new signature with this syntax. (You can copy and paste this text into the Signature field.)

F-SBID( --attack_id 8151; --vuln_id 8151; --name "Windows.NT.5.Web.Surfing"; --default_action drop_session; --service HTTP; --protocol tcp; --app_cat 25; --flow from_client; --pattern !"FCT"; --pattern "Windows NT 5."; --no_case; --context header; )

The signature will appear at the top of the application list and be listed in the Web.Others category.

 

 3. Adding the signature to the default Application Control profile 

 

Go to Security Profiles > Application Control and edit the default policy.

Under Application Overrides, select Add Signature.

 
 

The new signature should appear at the top of the list. If it does not, search for the signature’s name (in the example, Block-Windows-NT5).

Select the signature, then select Use Selected Signatures.

 

4. Adding the default profile to a security policy 

 

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Under Security Profiles, turn on Application Control and use the default profile.

 

5. Results

 
When a PC running one of the affected operating systems attempts to connect to the Internet using a browser, a blocked message appears.
 
PCs running other operating systems, including later versions of Windows, are not affected.
 

Go to System > FortiView > All Sessions and select the 5 minutes view.

Filter the results to show sessions that were blocked.

You will see that the Application Control signature, shown in the Application Name column, was used to block traffic from PCs running older Windows versions (in the example, the device Joscelin).

 

 
For further reading, check out Custom Application & IPS Signatures in the FortiOS 5.2 Handbook.
Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No
This recipe will only block web traffic from computers running the affected operating systems. If you wish to block these computers from being on the network entirely, further  action will be necessary. However, the logs generated by this recipe can be used to identify the computers you wish to block.
Because Application Control uses flow-based inspection, if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the replacement message. However, Application Control will still function.
  • Ravi Seevarajanovich Chinasamy

    Can you please confirm if we can use this same signature for monitoring the traffic from all windows XP or server 2003 via fortigate?

  • Petr

    Thank you very much, it works.