Croxyproxy Block

Reply
Highlighted

Croxyproxy Block

Hi Team,

 

We want to block croxy proxy in palo alto firewall. There is no application for this proxy to block.

 

We already tried blocking the category proxy avoidance but it doesnt help even after applying it after decryption ssl packets. 

 

We are seeing URL is getting changed and hitting the server until it get sucessful connection so some URL category like streaming media or government URL which is allowed in firewall is letting the traffic to pass via firewall.

 

How to block this croxy proxy web extension traffic in palo alto firewall. Any valid solution is highly appreciated.

 

Regards
venky


Accepted Solutions
Highlighted

Hi All,

 

This is resolved, i have configured block policy for categories streaming-media, unknown, proxy-avoidance and web-hosting. categories may change case by case basis, so need to change accordingly. If any of interested URL is coming under this categories create exception for them. Also attached spyware profile to the same policy having DNS sinkhole enabled. 

 

I created a SSL forward decryption policy and attached a default profile. It is mostly using unknown issuers and not a standard protocols which getting blocked as decrypt-error by PA.

 

After above configuraiton, I observed it for 24 hours it is not working. So this may be useful for someone who want to block. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@Venkatesan_radhakrishnan,

Do you have the current URL database? The website itself is listed under proxy-avoidance-and-anonymizers, so if you block that it should be preventing people from getting to the site. Maybe I'm missing where it has an extension or something? 

Highlighted

when Croxu proxy is installed in  chrome extension they are able to still connect because the url changes to connect when url changes category also changes

 

regard

venky

Highlighted
Cyber Elite

@Venkatesan_radhakrishnan,

If I get a moment I'll try to install this and look at a packet capture to see if I can identify anything that you can utilize to built a custom signature for the traffic. Essentially that's what you'll need to identify though; something consistent when that extension is utilized so you can build a custom signature to block the traffic. 

Highlighted
Cyber Elite

Hello,

Also make sure the policy that is allow outbound traffic is set to use Anti-Spyware policies and has DNS Sink-holing enabled.

 

Regards,

Highlighted

Hi

 

I tried antispyware with DNS sinkhole already, But it is not blocking.

 

If you use croxyproxy you can understand the URL is changing which is not getting blocked. 

 

Regards

Venky

Highlighted

Hi All,

 

This is resolved, i have configured block policy for categories streaming-media, unknown, proxy-avoidance and web-hosting. categories may change case by case basis, so need to change accordingly. If any of interested URL is coming under this categories create exception for them. Also attached spyware profile to the same policy having DNS sinkhole enabled. 

 

I created a SSL forward decryption policy and attached a default profile. It is mostly using unknown issuers and not a standard protocols which getting blocked as decrypt-error by PA.

 

After above configuraiton, I observed it for 24 hours it is not working. So this may be useful for someone who want to block. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!