07-28-2020 12:27 PM
Hi Team,
We want to block croxy proxy in palo alto firewall. There is no application for this proxy to block.
We already tried blocking the category proxy avoidance but it doesnt help even after applying it after decryption ssl packets.
We are seeing URL is getting changed and hitting the server until it get sucessful connection so some URL category like streaming media or government URL which is allowed in firewall is letting the traffic to pass via firewall.
How to block this croxy proxy web extension traffic in palo alto firewall. Any valid solution is highly appreciated.
Regards
venky
08-04-2020 04:49 AM
Hi All,
This is resolved, i have configured block policy for categories streaming-media, unknown, proxy-avoidance and web-hosting. categories may change case by case basis, so need to change accordingly. If any of interested URL is coming under this categories create exception for them. Also attached spyware profile to the same policy having DNS sinkhole enabled.
I created a SSL forward decryption policy and attached a default profile. It is mostly using unknown issuers and not a standard protocols which getting blocked as decrypt-error by PA.
After above configuraiton, I observed it for 24 hours it is not working. So this may be useful for someone who want to block.
07-28-2020 01:39 PM
Do you have the current URL database? The website itself is listed under proxy-avoidance-and-anonymizers, so if you block that it should be preventing people from getting to the site. Maybe I'm missing where it has an extension or something?
07-28-2020 09:09 PM
when Croxu proxy is installed in chrome extension they are able to still connect because the url changes to connect when url changes category also changes
regard
venky
07-30-2020 10:48 AM
If I get a moment I'll try to install this and look at a packet capture to see if I can identify anything that you can utilize to built a custom signature for the traffic. Essentially that's what you'll need to identify though; something consistent when that extension is utilized so you can build a custom signature to block the traffic.
07-30-2020 02:39 PM
Hello,
Also make sure the policy that is allow outbound traffic is set to use Anti-Spyware policies and has DNS Sink-holing enabled.
Regards,
08-02-2020 09:58 AM
Hi
I tried antispyware with DNS sinkhole already, But it is not blocking.
If you use croxyproxy you can understand the URL is changing which is not getting blocked.
Regards
Venky
08-04-2020 04:49 AM
Hi All,
This is resolved, i have configured block policy for categories streaming-media, unknown, proxy-avoidance and web-hosting. categories may change case by case basis, so need to change accordingly. If any of interested URL is coming under this categories create exception for them. Also attached spyware profile to the same policy having DNS sinkhole enabled.
I created a SSL forward decryption policy and attached a default profile. It is mostly using unknown issuers and not a standard protocols which getting blocked as decrypt-error by PA.
After above configuraiton, I observed it for 24 hours it is not working. So this may be useful for someone who want to block.
10-06-2020 10:31 AM
@OtakarKlier @Venkatesan_radhakrishnan @BPry
we have block all the Category which mention below and all apply anti spy policy but still we are open the croxyproxy please suggest.
10-11-2020 12:08 PM
Iam trying to configure the Customer Application Signature but in Packet capture it's randomly change. Can you help me to block this croxyporxy traffic,
10-13-2020 09:41 AM
Hello,
Are you decrypting outbound traffic as stated in the solution? This is a must as most traffic is encrypted and the PAN may not be able to determine the proper result you are looking for.
Regards,
12-26-2020 09:58 PM
@OtakarKlier Yes I applied the forward decryption policy as well as block the above catergory but still it's work please help to block this
12-31-2020 01:31 AM
We are not able to block this proxy traffic as because the URL from the proxy keeps on changing and it is prefixing to the desired URL. Once the URL gets changed category is also gets changed so the traffic is passing through the firewall
We seen that this application is running on random prefixed like(.com, .net ,.xyz , .space ,.rocks)
So we create the URL Category and block their random prefixed.
We also block some predefine category where the traffic is passing through the there category such as (Unknown, Greyware, proxy avoidance, unknown, social network, streaming media, malware…)
After applying the above methods we are not able to access the croxyproxy application
08-31-2024 07:44 AM
why u block it
that was the only thing we had
08-31-2024 07:47 AM
i could come to your house and fight
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
