it seems it has became vey diffcult to block hotspot shield , even though the application is being idenfied by palo alto , still hot spot finds it way by port 80 . is there any way to block hot spot shield.Also From IPAD/IPHONE it is easily connecting
First of all, did you enable ssl-termination (unless Im wrong hotspot shield tries to use ssl to bypass firewalls)?
Second, I doubt that the port 990 traffic identified as "insufficient-data" would be enough to make the application run in long term (perhaps only as a way to find other nodes) - from the admin guide:
* Incomplete - A handshake took place, but no data packets were sent prior to the timeout.
* Insufficient-Data - A handshake took place followed by one or more data packets; however, not enough data packets were exchanged to identify the application.
If you are positive that the PA didnt successfully identify hotspot shield even if you were using ssl-termination (as a debug use both "log on session start" and "log on session end" on all rules) you can contact the appid team and submit some pcaps so they can improve the hotspot shield detection: Tools ‹ Palo Alto Networks BlogPalo Alto Networks Blog
thanks. i ended up blocking "unknown-tcp" for now until we find a better resolution. after i did that i started seeing the hotspot-shield app-id start hunting ports trying to get out, but wasnt able too.. now i see him trying to get to ultrasurf and cyberghost vpn, but url filter is catching him. Its fun to watch them squirm
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!