This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How To Block Psiphon/Ultrasurf

Simon_Salama over 4 years ago

This issue start from 2 weeks ago , without change any configuration ,

and i tried to change IPS search method from 80 to 300 fail to block sophos,

tried to deny all applications except (whatsapp - Facebook - google - gmail ) again failed

tried to block all ports except (dns - http - https - smtp - imap - pop3 - ntp) failed

Please Help

This thread was automatically locked due to age.

Top Replies

rfcat_vk over 4 years ago in reply to Simon_Salama +1

Did you search the KBAs for advice on how tp block it? Please post a copy of your application policy. It can be stopped but requires quite tight firewall settings. Ian

Parents

0 rfcat_vk over 4 years ago

Hi,

there is a kba on how to block those and other similar products. The search function on this device is not very good so I can’t post a link.

ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon_Salama over 4 years ago in reply to rfcat_vk

its really i Have XG 125 and ips search not good because proxy programs can work with 443 ports easily . That's Big Problem
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 4 years ago in reply to Simon_Salama

Hi,

you need to limit what ports are used, install ca on each device, enable web and application functions as well as ips.

Yoi will need to build your own policies for application and web to stop blocking your approved.

That is a start. Try those settings and see how far your get?

ian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 4 years ago in reply to Simon_Salama

Hi,

you need to limit what ports are used, install ca on each device, enable web and application functions as well as ips.

Yoi will need to build your own policies for application and web to stop blocking your approved.

That is a start. Try those settings and see how far your get?

ian
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Simon_Salama over 4 years ago in reply to rfcat_vk

I have already made these settings, and make denied rule for lan->Wan all ports except ( dns - http - https - smtp - imap - pop3 - ntp )
and nothing new 

app filter logs show thats denied psiphon, but its working fine at the client

0 rfcat_vk over 4 years ago in reply to Simon_Salama

Please post a log entry showing the application access. Further, have you enabled decrypt and scan as well as scan http, FTP ?

ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon_Salama over 4 years ago in reply to rfcat_vk

messageid="17051" log_type="Content Filtering" log_component="Application" log_subtype="Denied" fw_rule_id="6" user="---------------" user_group="----------" appfilter_policy_id="8" category="Proxy and Tunnel" app_name="Psiphon Proxy" app_risk="5" app_technology="Client Server" app_category="Proxy and Tunnel" src_ip="------------" src_country="R1" dst_ip="104.18.151.190" dst_country="USA" protocol="0" src_port="30476" dst_port="443" bytes_sent="0" bytes_received="0" status="" message="" appresolvedby="Proxy"
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon_Salama over 4 years ago in reply to rfcat_vk

YES Enabled for all rules
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 4 years ago in reply to Simon_Salama

You logviewer entry shows it is blocked. So, if you use logviewer and refine search on the source PC IP which rules do you find passing the traffic?

The tunnels can be blocked successfully, my current setup blocks tunnels etc.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon_Salama over 4 years ago in reply to rfcat_vk

its only show blocked,,,, but psiphon works.

psiphos uses unlogic category such as ( Financial services - General Business - Information Technology )

i trace the one of hundreds destination IPs is Translated to https://www.tradesuppliesfreedommedi.com/ its Financial Services category

i'm really Sad for this problem
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 4 years ago in reply to Simon_Salama

Did you search the KBAs for advice on how tp block it?

Please post a copy of your application policy.

It can be stopped but requires quite tight firewall settings.

Ian
Cancel
Vote Up +1 Vote Down

Cancel