cannot block hotspot shield

cancel
Showing results for 
Search instead for 
Did you mean: 

cannot block hotspot shield

L2 Linker

HI

it seems it has became vey diffcult to block hotspot shield , even though the application is being idenfied by palo alto , still hot spot finds it way by port 80 . is there any way to block hot spot shield.Also From IPAD/IPHONE it is easily connecting

Thanks

Shabeer

7 REPLIES 7

L6 Presenter

do you mean, paloalto is not identifying the traffic, if the hotspot shield is using port 80 ? . and also from ipad/iphone it is connecting ? how is the traffic identified in this case ?

Can you provide this information from logs ?

Thanks,

Sandeep T

I'm getting a similar issue, have a user using Hotspot Shield , and even though i've told PA to block the app, its still working.  comes across port 80 as "unknown-tcp" and port 990 as "insufficient-data" 

any help would be appreciated.

First of all, did you enable ssl-termination (unless Im wrong hotspot shield tries to use ssl to bypass firewalls)?

Second, I doubt that the port 990 traffic identified as "insufficient-data" would be enough to make the application run in long term (perhaps only as a way to find other nodes) - from the admin guide:

"

* Incomplete - A handshake took place, but no data packets were sent prior to the timeout.

* Insufficient-Data - A handshake took place followed by one or more data packets; however, not enough data packets were exchanged to identify the application.

"

If you are positive that the PA didnt successfully identify hotspot shield even if you were using ssl-termination (as a debug use both "log on session start" and "log on session end" on all rules) you can contact the appid team and submit some pcaps so they can improve the hotspot shield detection: Tools ‹ Palo Alto Networks BlogPalo Alto Networks Blog

A case has been opened for that.Support saw the same issue.They are working on it.They will solve soon.

thanks.  i ended up blocking "unknown-tcp" for now until we find a better resolution.  after i did that i started seeing the hotspot-shield app-id start hunting ports trying to get out, but wasnt able too.. now i see him trying to get to ultrasurf and cyberghost vpn, but url filter is catching him.   Its fun to watch them squirm :smileywink:

from url filtering able to block ultrasurf? you mean the poxies category?:smileymischief:

L6 Presenter

Support told me that(on my case) they found the issue and working on it to resolve it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!