02-03-2013 03:35 AM
HI
it seems it has became vey diffcult to block hotspot shield , even though the application is being idenfied by palo alto , still hot spot finds it way by port 80 . is there any way to block hot spot shield.Also From IPAD/IPHONE it is easily connecting
Thanks
Shabeer
02-03-2013 11:07 AM
do you mean, paloalto is not identifying the traffic, if the hotspot shield is using port 80 ? . and also from ipad/iphone it is connecting ? how is the traffic identified in this case ?
Can you provide this information from logs ?
Thanks,
Sandeep T
04-01-2013 03:26 PM
I'm getting a similar issue, have a user using Hotspot Shield , and even though i've told PA to block the app, its still working. comes across port 80 as "unknown-tcp" and port 990 as "insufficient-data"
any help would be appreciated.
04-01-2013 08:05 PM
First of all, did you enable ssl-termination (unless Im wrong hotspot shield tries to use ssl to bypass firewalls)?
Second, I doubt that the port 990 traffic identified as "insufficient-data" would be enough to make the application run in long term (perhaps only as a way to find other nodes) - from the admin guide:
"
* Incomplete - A handshake took place, but no data packets were sent prior to the timeout.
* Insufficient-Data - A handshake took place followed by one or more data packets; however, not enough data packets were exchanged to identify the application.
"
If you are positive that the PA didnt successfully identify hotspot shield even if you were using ssl-termination (as a debug use both "log on session start" and "log on session end" on all rules) you can contact the appid team and submit some pcaps so they can improve the hotspot shield detection: Tools ‹ Palo Alto Networks BlogPalo Alto Networks Blog
04-02-2013 11:27 AM
A case has been opened for that.Support saw the same issue.They are working on it.They will solve soon.
04-02-2013 11:38 AM
thanks. i ended up blocking "unknown-tcp" for now until we find a better resolution. after i did that i started seeing the hotspot-shield app-id start hunting ports trying to get out, but wasnt able too.. now i see him trying to get to ultrasurf and cyberghost vpn, but url filter is catching him. Its fun to watch them squirm 
04-04-2013 08:11 PM
from url filtering able to block ultrasurf? you mean the poxies category?:smileymischief:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
