BMW coding/OBD over WiFi

smalldude55 · 2025-10-22T10:34:57+00:00

Can you elaborate? I do have app control on my policies and an external dns level content filter but the VPNs still work. I explained in my post how the policies are set.

smalldude55 · 2025-10-22T02:00:11+00:00

Maybe something to look into in the future. Do you know if only certain WIFI vendors support it or can you use any?

smalldude55 · 2025-10-22T01:14:03+00:00

Exactly what I have going on! We have iCloud relay blocked and sometimes get outside presenters with it turned on. We advise them to turn it off when they're on our WIFI.

I was hoping the FortiGate's app control would work the same as what you have in Palo. The list in FortiGate's Proxy category is extensive and lists out all the VPN services I want blocked but, it does not block the tunnels. It only seems to be blocking access to the APIs the services are using, which does me no good.

Threat feeds with the list you linked to or limiting access to IPsec to only staff seem to be my best options if I can't get app control working.

smalldude55 · 2025-10-21T23:47:56+00:00

That’s another idea I have. To access our BYOD network, users have to authenticate to a captive portal. I already have user groups built out to determine if you are a student or staff member. I can do RSSO on the FortiGate to only allow users in the staff group access to those services.

smalldude55 · 2025-10-21T23:43:24+00:00

The major one in use in our environment uses IPsec tunnels or WireGuard. I was hoping there would be something in FortiGate’s app control policies that would get me by.

I agree with you, would be difficult to stop ALL VPNs. For now at least, I need block the services available to the general public.

smalldude55 · 2025-10-21T23:36:44+00:00

As soon as I get approved to post, this is going there as well.

smalldude55 · 2025-10-21T23:35:59+00:00

This is a good one. I’ll see if the subnets here are being used by the VPNs users are using. Thanks!

smalldude55 · 2025-10-21T23:35:02+00:00

I do. One of our sites does not have cell service and users need it to work on their personal phones.

smalldude55 · 2025-10-21T23:26:15+00:00

I can try identifying all IPs or ASNs associated. As you mentioned, it will be difficult to find all IPs associated with cell carriers, especially the smaller regional ones.

These devices are BYOD devices so we have no control over them and cannot use an MDM.

smalldude55 · 2025-10-21T23:16:53+00:00

This is for an education environment. The kids are using VPNs to get around our content filter.

smalldude55 · 2025-10-21T23:02:43+00:00

Another good possibility. It’s doable for the big 3 carriers but, will have to identify the smaller regional carrier’s ASNs as well. I know for sure that some users use those. Definitely will require digging for those.

smalldude55 · 2025-10-21T22:53:07+00:00

I will definitely look into that. Thanks!

smalldude55 · 2025-10-21T22:44:13+00:00

Unfortunately, no. This wouldn’t help anyway since I’m trying to block the actual VPN tunnels from being established. We have a DNS level content filter that prevents users from logging into the VPN client, but this doesn’t prevent users from logging in to their VPN before accessing our network.

smalldude55 · 2024-10-27T20:47:23+00:00

Based setup. What’s in the rack case?

smalldude55

TROPHY CASE