Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
Overview
This Recommended Read describes the Application filter recommended settings for CLI and GUI to block critical/evasive applications such as Psiphon, Tor Proxy (Tor Browser), Torrent, Ultrasurf, HotSpot Shield, etc.
CLI settings
IPS-Settings
- Max Packet value must be at least 80
- Max Session byte values must be 0
- Packet Streaming must be ON
To verify the current configurations, you may login to Sophos Firewall Console and select 4. Device Console
show ips-settings
To set the following commands for the recommended settings, you may follow the below configurations
set ips maxpkts 80set ips maxsesbytes-settings update 0
set ips packet-streaming ON
Advanced-Firewall Settings
- Midstream Connection Pickup must be OFF
You may verify and set the the commands by following the commands below.
show advanced-firewall
set advanced-firewall midstream-connection-pickup off
GUI settings
Application filter policy settings
Along with "P2P" and "Proxy and Tunnel" category, applications listed below must be denied in the concerned application filter policy.
- DNS Multiple QNAME
- OpenVPN
- QUIC
- Non-SSL/TLS traffic on port 443
Firewall rule settings
Same application filter policy (as configured above) must be applied to "DNS Firewall rule" as well, if there’s any.
For Psiphon Proxy
1.SSL/TLS inspection should be enabled under SSL/TLS inspection settings and one decryption rule needs to be created based on firewall rules.
a. Action must be "Decrypt"
b.Profile is set to "Maximum Compatibility"
2. In firewall rule Legacy Proxy has to be "Disabled" (Web Policy = None).
3.Block Invalid Certificates (PROTECT>Web>General Settings>HTTPS decryption and scanning) must be enabled in SFOS.
4.Allow only HTTPS, HTTP, DNS, ICMP, SMPT. Services on LAN/WAN; if Psiphon is connected even after following all steps, then it's highly possible that other port's traffic is passing through other firewall rules (One can allow 1025 to 65535 Ports).
a. For example, the primary rule should have only limited services allowed.
b. And the rule below the primary rule should 'deny' traffic for port range 1 to 1024 (Registered Ports) for the same source machines.
Betternet VPN
To block Betternet VPN, We have to block Invalid Certificates (Which are usually used by Such Proxy applications). Perform the below steps to
reach out to set
- CLI + GUI Settings mentioned above.
- In SFOS UI> Rules and Policies > SSL/TLS Inspection Rules> Create a rule with Action "Don't Decrypt" and Profile as "Block Insecure SSL".
- Disable Default rule "Exclusions by website "
Hot Spot Shield Proxy
- Enable HTTPS scanning.
- Configure all CLI and GUI settings.
- Enable option in Web > General Settings > Block unrecognized SSL protocols.
- Enable option in Web > General Settings > Block invalid certificates.
Updated Disclaimer
[edited by: Erick Jan at 9:10 AM (GMT -7) on 17 Apr 2023]
