https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/268305#M74542 <P>Looks like a rather evasive application.</P><P>&nbsp;</P><P><SPAN>"Lemon VPN allows you to unblock websites that are blocked to you by your ISP or goverment through tunnelling via different protocols like SSL, TCP, HTTP."</SPAN></P><P>&nbsp;</P><P><SPAN>I would suggest the following:</SPAN></P><P><SPAN>- Either allow only specific, sanctioned apps from the network, or make sure to block: SSH, IPSEC, the common ports used for those apps too, etc.</SPAN></P><P>&nbsp;</P><P><SPAN>- A rather strict URL Filtering profile, their domain is "parked" btw.</SPAN></P><P>&nbsp;</P><P><SPAN>- Create a report to find which IP's are used while connecting to the tunneling services, block those IP's</SPAN></P><P>&nbsp;</P><P><SPAN>- Do not allow unknown-tcp, unknown-udp traffic on the network, if necessary to allow, make sure to investigate the traffic that is required to work, create apps based on that and then go ahead to deny the unknown-tcp,udp.</SPAN></P> Mon, 10 Jun 2019 11:19:22 GMT Philip_Wiberg 2019-06-10T11:19:22Z https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/260821#M73933 <P>Anyone know how to block these 2 apps?</P><P>&nbsp;</P><P>Betternet VPN</P><P><A href="https://www.betternet.co/" target="_blank">https://www.betternet.co/</A></P><P>&nbsp;</P><P>Lemon VPN</P><P><A href="https://play.google.com/store/apps/details?id=org.lemonvpn.android&amp;hl=en_US" target="_blank">https://play.google.com/store/apps/details?id=org.lemonvpn.android&amp;hl=en_US</A></P><P>&nbsp;</P><P>We have a BYOD at our K-12 education schools, and students are bringing their own devices in with these installed.&nbsp; I assume there are other VPNs out there coming in too.</P><P>&nbsp;</P><P>We have an 'open' BYOD, so no authentication needed, other than agreeing with the AUP.</P><P>&nbsp;</P><P>Palo shows no ap-id for either of these and the traffic just pokes right through.&nbsp; We have proxy sites blocked via Palo URL license, and have SSL decryption enabled and make BYOD users install our ssl-forward-proxy cert if they want to use https websites.</P><P>&nbsp;</P><P>Any thoughts?</P><P>Dannon</P><P>&nbsp;</P> Mon, 13 May 2019 21:14:51 GMT https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/260821#M73933 dannon 2019-05-13T21:14:51Z https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/260848#M73940 <P>Hello,</P><P>Perhaps block the ports that hey are using outbound? Typically VPN uses 500/udp. Maybe even use a application filter and use encrypted-tunnel, however this could break legit traffic so whatever you put in, I say make it an allow policy to see what else its matching.</P><P>Regards,</P> Mon, 13 May 2019 21:57:09 GMT https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/260848#M73940 OtakarKlier 2019-05-13T21:57:09Z https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/268305#M74542 <P>Looks like a rather evasive application.</P><P>&nbsp;</P><P><SPAN>"Lemon VPN allows you to unblock websites that are blocked to you by your ISP or goverment through tunnelling via different protocols like SSL, TCP, HTTP."</SPAN></P><P>&nbsp;</P><P><SPAN>I would suggest the following:</SPAN></P><P><SPAN>- Either allow only specific, sanctioned apps from the network, or make sure to block: SSH, IPSEC, the common ports used for those apps too, etc.</SPAN></P><P>&nbsp;</P><P><SPAN>- A rather strict URL Filtering profile, their domain is "parked" btw.</SPAN></P><P>&nbsp;</P><P><SPAN>- Create a report to find which IP's are used while connecting to the tunneling services, block those IP's</SPAN></P><P>&nbsp;</P><P><SPAN>- Do not allow unknown-tcp, unknown-udp traffic on the network, if necessary to allow, make sure to investigate the traffic that is required to work, create apps based on that and then go ahead to deny the unknown-tcp,udp.</SPAN></P> Mon, 10 Jun 2019 11:19:22 GMT https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/268305#M74542 Philip_Wiberg 2019-06-10T11:19:22Z https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/268344#M74545 <P>Hello,</P><P>Looks like a URL filter policy might be able to help as well. But I agree the kids will try to find a way around stuff. Have daily reports and review the traffic to see what new stuff they are trying any make sure its getting blocked. I'm sure a lot of others would love to see how you are blocking these attempts.</P><P>&nbsp;</P><P>Regards,</P> Mon, 10 Jun 2019 13:10:24 GMT https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/268344#M74545 OtakarKlier 2019-06-10T13:10:24Z https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/343859#M86054 <P>Greetings from a K-12 private school in <SPAN class="st">Wisconsin</SPAN>,</P><P>I'm a school psychologist and very often I ask students to watch videos and lectures on the reliable educational web resources, but they go further than that - they start looking for other stuff, sometimes, it concerns violent scenes and bullying. They are trying to bypass our security measures all the time. What is a sure fire way to block Proxy and VPN tools for good?</P><P>Should I perform whitelisting?</P><P>Thanks,</P><P>Dani</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><EM><FONT size="2">Dani Dapo (Omoiyadapo)</FONT></EM></P><P><EM><FONT size="1 2 3 4 5 6 7">Access support: <A href="https://live.paloaltonetworks.com/t5/general-topics/how-can-i-detect-and-stop-3rd-party-vpn-tools-used-to-bypass-my/td-p/33550" target="_self"><FONT color="#333333">https://live.paloaltonetworks.com/t5/general-topics/how-can-i-stop-vpn-tools-used-to-bypass</FONT></A> <A href="https://essaytyper.pro/" target="_self"><FONT color="#333333">essaytyper.pro</FONT></A> <FONT color="#FFFFFF">paper generator</FONT></FONT></EM></P> Fri, 14 Aug 2020 04:46:10 GMT https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/343859#M86054 Omoiyadapo 2020-08-14T04:46:10Z https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/343983#M86076 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/152114">@Omoiyadapo</a>,</P> <P>There is no sure fire way to block proxies and VPN solutions across the board, and while a robust whitelisting process can help limit the issue it'll never completely rid the issue. New Proxies and VPN solutions come online all the time, and smart students can spin up their own on any port that you leave open.&nbsp;</P> <P>You can create an extremely limited rulebase which only allows access to "approved" resources, but in a school environment that would be extremely time consuming. Students will find a way to get around things unless you completely restrict access.&nbsp;</P> Sat, 15 Aug 2020 03:30:19 GMT https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/343983#M86076 BPry 2020-08-15T03:30:19Z https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/344249#M86132 <P>Hello,</P> <P>This maybe a case of always being behind the ball. As stated before, Configure your URL filtering as well as the other security policies and objects. Then have the firewall generate reports as to the websites that are getting hit. Review the logs daily and see if you can see a pattern. Also SSL decryption can be a benefit here since the PAN can possibly determine the application and if you have it blocked. Make sure you are sending PAN your telemetry so their algorithms can reprocess and dynamically update their feeds. This not only helps you but everyone attempt's to do the same thing.</P> <P>&nbsp;</P> <P>Let us know which way you go so the rest of the community can follow the leader and do something similar :).</P> <P>&nbsp;</P> <P>Regards,</P> Mon, 17 Aug 2020 21:27:52 GMT https://live.paloaltonetworks.com/t5/general-topics/betternet-vpn-lemon-vpn-blocking/m-p/344249#M86132 OtakarKlier 2020-08-17T21:27:52Z