Croxyproxy Block

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Croxyproxy Block

Hi Team,

 

We want to block croxy proxy in palo alto firewall. There is no application for this proxy to block.

 

We already tried blocking the category proxy avoidance but it doesnt help even after applying it after decryption ssl packets. 

 

We are seeing URL is getting changed and hitting the server until it get sucessful connection so some URL category like streaming media or government URL which is allowed in firewall is letting the traffic to pass via firewall.

 

How to block this croxy proxy web extension traffic in palo alto firewall. Any valid solution is highly appreciated.

 

Regards
venky

1 accepted solution

Accepted Solutions

Hi All,

 

This is resolved, i have configured block policy for categories streaming-media, unknown, proxy-avoidance and web-hosting. categories may change case by case basis, so need to change accordingly. If any of interested URL is coming under this categories create exception for them. Also attached spyware profile to the same policy having DNS sinkhole enabled. 

 

I created a SSL forward decryption policy and attached a default profile. It is mostly using unknown issuers and not a standard protocols which getting blocked as decrypt-error by PA.

 

After above configuraiton, I observed it for 24 hours it is not working. So this may be useful for someone who want to block. 

View solution in original post

11 REPLIES 11

Cyber Elite
Cyber Elite

@Venkatesan_radhakrishnan,

Do you have the current URL database? The website itself is listed under proxy-avoidance-and-anonymizers, so if you block that it should be preventing people from getting to the site. Maybe I'm missing where it has an extension or something? 

when Croxu proxy is installed in  chrome extension they are able to still connect because the url changes to connect when url changes category also changes

 

regard

venky

@Venkatesan_radhakrishnan,

If I get a moment I'll try to install this and look at a packet capture to see if I can identify anything that you can utilize to built a custom signature for the traffic. Essentially that's what you'll need to identify though; something consistent when that extension is utilized so you can build a custom signature to block the traffic. 

Hello,

Also make sure the policy that is allow outbound traffic is set to use Anti-Spyware policies and has DNS Sink-holing enabled.

 

Regards,

Hi

 

I tried antispyware with DNS sinkhole already, But it is not blocking.

 

If you use croxyproxy you can understand the URL is changing which is not getting blocked. 

 

Regards

Venky

Hi All,

 

This is resolved, i have configured block policy for categories streaming-media, unknown, proxy-avoidance and web-hosting. categories may change case by case basis, so need to change accordingly. If any of interested URL is coming under this categories create exception for them. Also attached spyware profile to the same policy having DNS sinkhole enabled. 

 

I created a SSL forward decryption policy and attached a default profile. It is mostly using unknown issuers and not a standard protocols which getting blocked as decrypt-error by PA.

 

After above configuraiton, I observed it for 24 hours it is not working. So this may be useful for someone who want to block. 

@OtakarKlier @Venkatesan_radhakrishnan @BPry 

 

we have block all the Category which mention below and all apply anti spy policy but still we are  open the croxyproxy please suggest. 

 

@OtakarKlier @BPry 

 

Iam trying to configure the Customer Application Signature but in Packet capture it's randomly change. Can you help me to block this croxyporxy traffic,

Hello,

Are you decrypting outbound traffic as stated in the solution? This is a must as most traffic is encrypted and the PAN may not be able to determine the proper result you are looking for.

 

Regards,

@OtakarKlier Yes I applied the forward decryption policy as well as block  the above catergory but still it's work please help to block this  

We are not able to block this proxy traffic as because the URL from the proxy keeps on changing and it is prefixing to the desired URL. Once the URL gets changed category is also gets changed so the traffic is passing through the firewall

We seen that this application is running on random prefixed like(.com, .net ,.xyz , .space ,.rocks)

So we create the URL Category and block their random prefixed.

We also block some predefine category  where the traffic is passing through the there category such as (Unknown, Greyware, proxy avoidance, unknown, social network, streaming media, malware…)

After applying the above methods we are not able to access the croxyproxy application

  • 1 accepted solution
  • 28914 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!