topic Re: Block PSIPHON 3 in General Topics

Block PSIPHON 3

VinceM — Mon, 21 Sep 2015 15:11:05 GMT

Hi all,

Does anybody already try with success to block Psiphon (https://www.psiphon3.com) ?

It's quite easy when psiphon is configured in VPN mode but how can I do that when VPN is not used ?

Thanks in advance for sharing.

Re: Block PSIPHON 3

OtakarKlier — Mon, 21 Sep 2015 17:19:38 GMT

Hello,

If you use some kind of web filtering, this should be able to block it on your network. I just checked the PAN-DB-URL and that url is:

URL

psiphon3.com

Re: Block PSIPHON 3

VinceM — Tue, 22 Sep 2015 16:04:11 GMT

Hi,

URL filtering can't be used because after "installing" the psiphon client, you need to initiate connexion.

These connexions are based on SSL then no URL filtering ... 😞

Re: Block PSIPHON 3

OtakarKlier — Tue, 22 Sep 2015 16:15:25 GMT

Hello,

I do not know how the client works so I cannot see the traffic for myself. However you should still be able to see the URL's eventhough the traffic is SSL. Perhaps a submission for application detection is in order?

Custom signatures:

https://live.paloaltonetworks.com/t5/Documentation-Articles/Custom-Application-Signatures/ta-p/58625

Submit an application:

http://researchcenter.paloaltonetworks.com/submit-an-application/

Hope this helps...

Re: Block PSIPHON 3

OtakarKlier — Tue, 22 Sep 2015 18:11:46 GMT

Just in case you do use URL filtering:

URL: www.psiphon3.com
Previous category: computer-and-internet-info
You suggested: proxy-avoidance-and-anonymizers
New category: proxy-avoidance-and-anonymizers
The new categorization is available starting with URL DB version: 2015.09.22.220

Regards,

Re: Block PSIPHON 3

VinceM — Wed, 23 Sep 2015 13:19:01 GMT

HI,

Thx for your help.

But it seem it's not enaugh for blocking psiphon 😞

I ask for new app.

Re: Block PSIPHON 3

VinceM — Thu, 08 Oct 2015 07:39:55 GMT

Hi all,

After opening a case, the answer is: Decryption enabled (blocking unsupported cypher-suite) + denying 'psiphon' application in security policy should be enough.

Need to be tested.

Re: Block PSIPHON 3

Kali — Thu, 08 Oct 2015 14:45:34 GMT

Hi, can you elaborate more of your settings?

Decrypting all or just specific sites/url categories?

Re: Block PSIPHON 3

mvidic — Tue, 08 Dec 2015 08:36:57 GMT

Hi everyone.

In my experience SSL decryption and blocking the application Psiphon was not enough, it was only the first step. Psihon was stll able to connect. I discovered that Psiphon creates a Proxy service on localhost and changes proxy settings in browser to redirect browser traffic over Psiphon application. Psiphon application then forwards the traffic to the internet by its own sneaky methods:) I did Wireshark analysis and discovered that after SSL connection was blocked by PAN, Psiphon created a gzip encoded streaming tunel over tcp port 80 and PAN recognised it as "web-browsing" which was allowed. I tried to create a custom application but without success.

We successfully blocked the Psiphon by implementing SSL Decryption, blocking Psiphon application in the security policy and also by preventing users from changing their proxy settings using domain group policy.

Creating custom application signature for port 80 traffic and blocking it in the security policy on PAN would be more elegant but my signature caused too many false positives and it was easier to create a group policy.

LPM

Re: Block PSIPHON 3

seleftherakis — Thu, 10 Dec 2015 09:09:24 GMT

Hello,
from my testing, blocking just Psiphon while using decryption was not enough. If you leave the client to try and connect long enough, it will still connect.
The best results I've got was by blocking the following:
http-proxy
ike
ipsec (not ipsec-udp)
l2tp
psiphon
ssh
ssh-tunnel
unknown-tcp

with application-default

Regards,
Stavros

Re: Block PSIPHON 3

kiwi — Thu, 10 Dec 2015 10:54:06 GMT

There's actually an article about how to block psiphon :

How to Block the Psiphon application

If you feel it is incorrect please leave a comment there for review.

Hope this helps.

-Kim.

Re: Block PSIPHON 3

vertwheal — Wed, 20 Jan 2016 15:11:35 GMT

Was it ever stated which category you need to decrypt? I dont want to decrypt anything except for what it takes to stop Psiphon.

Re: Block PSIPHON 3

Matias_Cova — Tue, 28 Mar 2017 17:53:17 GMT

I could block the Psiphon, with a security policy denying in application "psiphon/unknown-tcp/ssh" and SSL decrypt and to avoid the AutoProxy I made this

Click Run, and type regedit to open the Registry Editor. Find and open HKEY_CURRENT_USER\Software\Psiphon3, and on the right side you will see SkipProxySettings. Set this value to 1 and Psiphon will not automatically configure the system proxy settings.

Re: Block PSIPHON 3

emre.ozel — Tue, 05 Oct 2021 12:31:44 GMT

Hi,

additionally the unknown-udp application needs to be updated.

Re: Block PSIPHON 3

DanielS.Romero — Thu, 13 Nov 2025 21:14:18 GMT

Hello, Live community!

I'm having the same problem with the Psiphon application. I've blocked it with the following configuration on my NGFW running PAN-OS version 11.1.10-h1 and Content-ID Apps & Threats 9039-9750 and Antivirus 5370-5896 on a test machine (within the domain, with all root CA certificates for decryption😞

1- I created an application filter to group applications labeled like "Proxy Avoidance", as shown below:

APPLICATION FILTER Proxy-Apps

2- Create a denied security policy rule that associates the following applications and the application filter Proxy-Apps applications only to public IP addresses (not RFC-1918) and through any TCP/UDP port as follows:

SECURITY POLICY RULE

3. Create a decryption profile with the following checks enabled for both TLS and SSH traffic:

DECRYPTION PROFILE SSL DECRYPTION > SSL FORWARD PROXY TAB

DECRYPTION PROFILE SSL DECRYPTION > SSL PROTOCOL SETTINGS TAB (TLSv MIN 1.1)

DECRYPTION PROFILE SSH PROXY TAB

4- Create a decryption rule for both TLS traffic (SSL Forward Proxy) and SSH traffic (SSH Proxy) to public IP addresses (non-RFC-1918) through any TCP/UDP port as follows:

DECRYPTION RULES TLS AND SSH TRAFFIC

5- Finally the Test User tried to connect the Psiphon Proxy App, however they keep stuck in Connecting state as shown below:

TEST USER STUCK PSIPHON APP

After this, Psiphon's connection to users on the internal network was blocked. However, when associating S2S or Remote Access VPN protocols such as IKE and IPSec, some users connected to an internal or external gateways may be unable to use these protocols for their connection and be forced to use SSL. In some cases, this can cause latency issues when consuming video and streaming traffic. To address this, a higher-level security rule must be created associating the IKE, IPSec, SSL and panos-global-protect applications to allow such connections only when they reach authorized public or private IP addresses.

Another good question that might arise is: what about users of guest Wi-Fi networks? How do we control their connection to Psiphon or Proxy apps without having the ability to install decrypt certificates or modify registry editor values?

Some alternatives include (always with caution and after testing them in a non-productive environment or time😞

- Using App-ID to prevent connections to the following applications: psiphon, l2tp, ike, ipsec-base, ssh-tunnel, openvpn, tor, dtls, tcp-over-dns, dns-over-https, dns-over-tls, dnscrypt, http-proxy, socks.

- Use URL filtering profiles limiting access to websites categorized as Proxy-Avoidance-and-Anonymizers, Dynamic-DNS, Hacking, etc.

- Block the Quic protocol over any port so that clients cannot use it and instead try to use TLS, allowing the firewall to identify websites using the SNI and CN of the certificates in the Server Hellos packages (SSL decryption is not required).

- Allow traffic to legitimate services through their standard ports, such as SSL/TCP-443 and DNS/UDP|TCP-53, to known destinations, along with DNS security profiles blocking bad categories like Proxy-Avoidance-and-Anonymizers and Newly Registered Domains, and deny everything else.

- Apply Antispyware and Vulnerability Protection profiles to the guest rule. Palo Alto Networks constantly updates its signatures to detect anomalous behavior or negotiation sequences characteristic of Psiphon or obfuscated SSH tunnels, even if the payload is encrypted, Keep your NGFWs updated with the latest Antivirus and APP-ID "Content-ID" signatures.

- Limit bandwidth for guest networks with QoS rules due tunneling applications often manifest as a single, long-running session with very high sustained data usage. If you can't block the application, you can at least mitigate its impact by making the experience very slow and unusable for the user and your firewall will thank you for it..

If you know of other ways to improve your security posture, please let us know in the comments. 👀

Thank you for your time, and I hope this information is helpful. I would appreciate it if you could support me with a like or accept this answer as a solution; that will help me a lot to become a CyberElite! 😁Best Regards,

Daniel Romero
Senior Network/Security Engineer
PANW Partner