Hello, Live community!
I'm having the same problem with the Psiphon application. I've blocked it with the following configuration on my NGFW running PAN-OS version 11.1.10-h1 and Content-ID Apps & Threats 9039-9750 and Antivirus 5370-5896 on a test machine (within the domain, with all root CA certificates for decryption😞
1- I created an application filter to group applications labeled like "Proxy Avoidance", as shown below:
APPLICATION FILTER Proxy-Apps
2- Create a denied security policy rule that associates the following applications and the application filter Proxy-Apps applications only to public IP addresses (not RFC-1918) and through any TCP/UDP port as follows:
SECURITY POLICY RULE
3. Create a decryption profile with the following checks enabled for both TLS and SSH traffic:
DECRYPTION PROFILE SSL DECRYPTION > SSL FORWARD PROXY TAB
DECRYPTION PROFILE SSL DECRYPTION > SSL PROTOCOL SETTINGS TAB (TLSv MIN 1.1)
DECRYPTION PROFILE SSH PROXY TAB
4- Create a decryption rule for both TLS traffic (SSL Forward Proxy) and SSH traffic (SSH Proxy) to public IP addresses (non-RFC-1918) through any TCP/UDP port as follows:
DECRYPTION RULES TLS AND SSH TRAFFIC
5- Finally the Test User tried to connect the Psiphon Proxy App, however they keep stuck in Connecting state as shown below:
TEST USER STUCK PSIPHON APP
After this, Psiphon's connection to users on the internal network was blocked. However, when associating S2S or Remote Access VPN protocols such as IKE and IPSec, some users connected to an internal or external gateways may be unable to use these protocols for their connection and be forced to use SSL. In some cases, this can cause latency issues when consuming video and streaming traffic. To address this, a higher-level security rule must be created associating the IKE, IPSec, SSL and panos-global-protect applications to allow such connections only when they reach authorized public or private IP addresses.
Another good question that might arise is: what about users of guest Wi-Fi networks? How do we control their connection to Psiphon or Proxy apps without having the ability to install decrypt certificates or modify registry editor values?
Some alternatives include (always with caution and after testing them in a non-productive environment or time😞
- Using App-ID to prevent connections to the following applications: psiphon, l2tp, ike, ipsec-base, ssh-tunnel, openvpn, tor, dtls, tcp-over-dns, dns-over-https, dns-over-tls, dnscrypt, http-proxy, socks.
- Use URL filtering profiles limiting access to websites categorized as Proxy-Avoidance-and-Anonymizers, Dynamic-DNS, Hacking, etc.
- Block the Quic protocol over any port so that clients cannot use it and instead try to use TLS, allowing the firewall to identify websites using the SNI and CN of the certificates in the Server Hellos packages (SSL decryption is not required).
- Allow traffic to legitimate services through their standard ports, such as SSL/TCP-443 and DNS/UDP|TCP-53, to known destinations, along with DNS security profiles blocking bad categories like Proxy-Avoidance-and-Anonymizers and Newly Registered Domains, and deny everything else.
- Apply Antispyware and Vulnerability Protection profiles to the guest rule. Palo Alto Networks constantly updates its signatures to detect anomalous behavior or negotiation sequences characteristic of Psiphon or obfuscated SSH tunnels, even if the payload is encrypted, Keep your NGFWs updated with the latest Antivirus and APP-ID "Content-ID" signatures.
- Limit bandwidth for guest networks with QoS rules due tunneling applications often manifest as a single, long-running session with very high sustained data usage. If you can't block the application, you can at least mitigate its impact by making the experience very slow and unusable for the user and your firewall will thank you for it..
If you know of other ways to improve your security posture, please let us know in the comments. 👀
Thank you for your time, and I hope this information is helpful. I would appreciate it if you could support me with a like or accept this answer as a solution; that will help me a lot to become a CyberElite! 😁Best Regards,
Daniel Romero
Senior Network/Security Engineer
PANW Partner
