Blocking Windows XP traffic


In this example, you will use application control to block web traffic from PCs running Windows operating systems that NT 5, including Windows XP and Windows Server 2003 (includes Windows virtual machines).

When a computer’s operating system lacks vendor support, it becomes a threat to the network because newly discovered exploits will not be patched. Using the FortiGate application control feature, you can restrict these computers from accessing external resources.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling Application Control

Go to System > Config > Features. Enable Application Control and Apply your changes.  

2. Creating a custom application control signature

Go to Security Profiles >  Application Control and select View Application Signatures.

Create a new signature with this syntax. (You can copy and paste this text into the Signature field.)

F-SBID( --attack_id 8151; --vuln_id 8151; --name "Windows.NT.5.Web.Surfing"; --default_action drop_session; --service HTTP; --protocol tcp; --app_cat 25; --flow from_client; --pattern !"FCT"; --pattern "Windows NT 5."; --no_case; --context header; )

The signature will appear at the top of the application list and be listed in the Web.Others category.


 3. Adding the signature to the default Application Control profile 


Go to Security Profiles > Application Control and edit the default policy.

Under Application Overrides, select Add Signature.


The new signature should appear at the top of the list. If it does not, search for the signature’s name (in the example, Block-Windows-NT5).

Select the signature, then select Use Selected Signatures.


4. Adding the default profile to a security policy 


Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Under Security Profiles, turn on Application Control and use the default profile.


5. Results

When a PC running one of the affected operating systems attempts to connect to the Internet using a browser, a blocked message appears.
PCs running other operating systems, including later versions of Windows, are not affected.

Go to System > FortiView > All Sessions and select the 5 minutes view.

Filter the results to show sessions that were blocked.

You will see that the Application Control signature, shown in the Application Name column, was used to block traffic from PCs running older Windows versions (in the example, the device Joscelin).


For further reading, check out Custom Application & IPS Signatures in the FortiOS 5.2 Handbook.
Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

This recipe will only block web traffic from computers running the affected operating systems. If you wish to block these computers from being on the network entirely, further  action will be necessary. However, the logs generated by this recipe can be used to identify the computers you wish to block.
Because Application Control uses flow-based inspection, if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the replacement message. However, Application Control will still function.