https://live.paloaltonetworks.com/t5/general-topics/public-vpn-bypass-firewall/m-p/253269#M71939 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/107470">@shafi.md</a> ,</P> <P>&nbsp;</P> <P>Have you tried blocking the proxy-avoidance category ? Both of the vpn tools that you mention fall under that URL category.</P> <P>&nbsp;</P> <P>If that doesn't work for you then you might want to consider blocking ipsec based on users.&nbsp; For example creating a security policy based on user instead so you can allow certain users to have vpn tunnels while denying everyone else.</P> <P>&nbsp;</P> <P>Using an application filter you can control all vpn/encrypted tunnel applications which will automatically contain all applications that create encrypted tunnels, and use that in a security policy to control access to these applications :</P> <P>&nbsp;</P> <P><IMG class="lia-media-image" src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/3085iCA41FFA931029304/image-size/original?v=mpbl-1&amp;px=-1" alt="application filter" title="application filter" border="0" /></P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Tue, 12 Mar 2019 08:31:14 GMT kiwi 2019-03-12T08:31:14Z https://live.paloaltonetworks.com/t5/general-topics/public-vpn-bypass-firewall/m-p/253246#M71935 <P>Hi ,</P><P>&nbsp;</P><P>&nbsp; &nbsp; I have blocked some Applications (like youtube, facebook etc in PAN-OS9.0.0), But employees are still able to access these applications while using VPN (Like ibvpn, purevpn).</P><P>If anyone have solution please let me know, how to block that traffic,</P><P>&nbsp;</P> Tue, 12 Mar 2019 06:03:12 GMT https://live.paloaltonetworks.com/t5/general-topics/public-vpn-bypass-firewall/m-p/253246#M71935 shafi.md 2019-03-12T06:03:12Z https://live.paloaltonetworks.com/t5/general-topics/public-vpn-bypass-firewall/m-p/253269#M71939 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/107470">@shafi.md</a> ,</P> <P>&nbsp;</P> <P>Have you tried blocking the proxy-avoidance category ? Both of the vpn tools that you mention fall under that URL category.</P> <P>&nbsp;</P> <P>If that doesn't work for you then you might want to consider blocking ipsec based on users.&nbsp; For example creating a security policy based on user instead so you can allow certain users to have vpn tunnels while denying everyone else.</P> <P>&nbsp;</P> <P>Using an application filter you can control all vpn/encrypted tunnel applications which will automatically contain all applications that create encrypted tunnels, and use that in a security policy to control access to these applications :</P> <P>&nbsp;</P> <P><IMG class="lia-media-image" src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/3085iCA41FFA931029304/image-size/original?v=mpbl-1&amp;px=-1" alt="application filter" title="application filter" border="0" /></P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Tue, 12 Mar 2019 08:31:14 GMT https://live.paloaltonetworks.com/t5/general-topics/public-vpn-bypass-firewall/m-p/253269#M71939 kiwi 2019-03-12T08:31:14Z https://live.paloaltonetworks.com/t5/general-topics/public-vpn-bypass-firewall/m-p/253386#M71968 <P>Hello,</P><P>Agreed on the URL blocking and application blocking. Worst case you can block the port that those applications use.&nbsp;</P><P>&nbsp;</P><P>Regards,</P> Tue, 12 Mar 2019 18:22:04 GMT https://live.paloaltonetworks.com/t5/general-topics/public-vpn-bypass-firewall/m-p/253386#M71968 OtakarKlier 2019-03-12T18:22:04Z