https://live.paloaltonetworks.com/t5/general-topics/vypr-vpn/m-p/73947#M41574 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27949">@inzamam.shahid</a>&nbsp;Ask and you shall receive. &nbsp;It appears "vyprvpn" is now a recognized application per content update 564.</P> Tue, 01 Mar 2016 23:45:55 GMT Brandon_Wertz 2016-03-01T23:45:55Z https://live.paloaltonetworks.com/t5/general-topics/vypr-vpn/m-p/71439#M40791 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>Has anyone used VYPR VPN. We are seeing users use this quiet a lot and they are bypassing the firewall to get onto whatever they want.&nbsp;</P> <P>&nbsp;</P> <P>We have submitted to PAN to create an application for this as one does not currently exist, but we need to block this in the mean time. I know we can create a custom application for this, but I am not experienced enough to put in the details for this so it only affects that application.&nbsp;</P> <P>&nbsp;</P> <P>Is creating a custom application the best way to block this or would anyone recommend another way ?</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 22 Jan 2016 11:17:36 GMT https://live.paloaltonetworks.com/t5/general-topics/vypr-vpn/m-p/71439#M40791 inzamam.shahid 2016-01-22T11:17:36Z https://live.paloaltonetworks.com/t5/general-topics/vypr-vpn/m-p/71465#M40805 <P>While some of their VPN protocols are standards-based with corresponding AppIDs, I bet you're having problem with the "chameleon" variant. &nbsp;</P> <P>&nbsp;</P> <P>If you can't block it by AppID, you should be able to tackle this via FQDN address objects. &nbsp;They've provided a complete list of their servers here:</P> <P>&nbsp;-&nbsp;<A href="https://support.goldenfrog.com/hc/en-us/articles/203733723-What-are-the-VyprVPN-server-addresses-" target="_blank">https://support.goldenfrog.com/hc/en-us/articles/203733723-What-are-the-VyprVPN-server-addresses-</A></P> <P>&nbsp;</P> <P>The CLI will probably be the quickest way to get these entries in your firewall. &nbsp;Here's what the commands would look:</P> <P>&nbsp;</P> <P><FONT face="courier new,courier">set address us1.vpn.goldenfrog.com tag vyprvpn</FONT><BR /><FONT face="courier new,courier">set address us1.vpn.goldenfrog.com fqdn us1.vpn.goldenfrog.com</FONT></P> <P><FONT face="courier new,courier">set address us2.vpn.goldenfrog.com tag vyprvpn</FONT><BR /><FONT face="courier new,courier">set address us2.vpn.goldenfrog.com fqdn us2.vpn.goldenfrog.com</FONT></P> <P>&nbsp;</P> <P>Lather, rinse, repeat for each of the server locations. &nbsp;When you're done it will start to look something like this:</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2173i0E9C8065C190CE46/image-size/medium?v=mpbl-1&amp;px=-1" border="0" alt="vypr1.PNG" title="vypr1.PNG" /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>You're tagging each of these objects with a "vyprvpn" tag for a good reason. &nbsp;The above process will create one address object per server location. &nbsp;You then create an Address Group that includes all of the individual address objects tagged with 'vyprvpn' like this:</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2174i0BEF67AEB4E8E52E/image-size/medium?v=mpbl-1&amp;px=-1" border="0" alt="vypr2.PNG" title="vypr2.PNG" /></P> <P>&nbsp;</P> <P>And finally, create a security policy that blocks traffic to 'vyprvpn-group' on any app and any port.</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2175i747E90F8539B01A2/image-size/medium?v=mpbl-1&amp;px=-1" border="0" alt="vypr3.PNG" title="vypr3.PNG" /></P> <P>&nbsp;</P> <P>EDIT: &nbsp;I assumed that the VyprVPN server was hosted by goldenfrog.com in my above instructions. &nbsp;You may need to do something similar for VyprVPN through giganews, ie: us1.vpn.giganews.com, but the concept is the same. &nbsp;</P> <P>&nbsp;</P> <P>Also, I did a couple of quick tests.. &nbsp;VyprVPN on iOS is detected as "ciscovpn" and "ipsec-esp-udp" from an AppID perspective. &nbsp;Block those Apps to shut this down on that platform. &nbsp;On Windows, the VyprVPN "Chameleon" protocol is detected as "unknown-udp" and can also be blocked. &nbsp;In my lab, blocking unknown-udp prevented VyprVPN from establishing a Chameleon VPN tunnel without worrying about destination IP addresses.</P> <P>&nbsp;</P> Fri, 22 Jan 2016 18:43:44 GMT https://live.paloaltonetworks.com/t5/general-topics/vypr-vpn/m-p/71465#M40805 jvalentine 2016-01-22T18:43:44Z https://live.paloaltonetworks.com/t5/general-topics/vypr-vpn/m-p/73947#M41574 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27949">@inzamam.shahid</a>&nbsp;Ask and you shall receive. &nbsp;It appears "vyprvpn" is now a recognized application per content update 564.</P> Tue, 01 Mar 2016 23:45:55 GMT https://live.paloaltonetworks.com/t5/general-topics/vypr-vpn/m-p/73947#M41574 Brandon_Wertz 2016-03-01T23:45:55Z https://live.paloaltonetworks.com/t5/general-topics/vypr-vpn/m-p/73971#M41580 <P>I saw that today glad it got created it makes things much simpler!</P> Wed, 02 Mar 2016 10:32:50 GMT https://live.paloaltonetworks.com/t5/general-topics/vypr-vpn/m-p/73971#M41580 inzamam.shahid 2016-03-02T10:32:50Z