While some of their VPN protocols are standards-based with corresponding AppIDs, I bet you're having problem with the "chameleon" variant.
If you can't block it by AppID, you should be able to tackle this via FQDN address objects. They've provided a complete list of their servers here:
- https://support.goldenfrog.com/hc/en-us/articles/203733723-What-are-the-VyprVPN-server-addresses-
The CLI will probably be the quickest way to get these entries in your firewall. Here's what the commands would look:
set address us1.vpn.goldenfrog.com tag vyprvpn
set address us1.vpn.goldenfrog.com fqdn us1.vpn.goldenfrog.com
set address us2.vpn.goldenfrog.com tag vyprvpn
set address us2.vpn.goldenfrog.com fqdn us2.vpn.goldenfrog.com
Lather, rinse, repeat for each of the server locations. When you're done it will start to look something like this:
You're tagging each of these objects with a "vyprvpn" tag for a good reason. The above process will create one address object per server location. You then create an Address Group that includes all of the individual address objects tagged with 'vyprvpn' like this:
And finally, create a security policy that blocks traffic to 'vyprvpn-group' on any app and any port.
EDIT: I assumed that the VyprVPN server was hosted by goldenfrog.com in my above instructions. You may need to do something similar for VyprVPN through giganews, ie: us1.vpn.giganews.com, but the concept is the same.
Also, I did a couple of quick tests.. VyprVPN on iOS is detected as "ciscovpn" and "ipsec-esp-udp" from an AppID perspective. Block those Apps to shut this down on that platform. On Windows, the VyprVPN "Chameleon" protocol is detected as "unknown-udp" and can also be blocked. In my lab, blocking unknown-udp prevented VyprVPN from establishing a Chameleon VPN tunnel without worrying about destination IP addresses.
While some of their VPN protocols are standards-based with corresponding AppIDs, I bet you're having problem with the "chameleon" variant.
If you can't block it by AppID, you should be able to tackle this via FQDN address objects. They've provided a complete list of their servers here:
- https://support.goldenfrog.com/hc/en-us/articles/203733723-What-are-the-VyprVPN-server-addresses-
The CLI will probably be the quickest way to get these entries in your firewall. Here's what the commands would look:
set address us1.vpn.goldenfrog.com tag vyprvpn
set address us1.vpn.goldenfrog.com fqdn us1.vpn.goldenfrog.com
set address us2.vpn.goldenfrog.com tag vyprvpn
set address us2.vpn.goldenfrog.com fqdn us2.vpn.goldenfrog.com
Lather, rinse, repeat for each of the server locations. When you're done it will start to look something like this:
You're tagging each of these objects with a "vyprvpn" tag for a good reason. The above process will create one address object per server location. You then create an Address Group that includes all of the individual address objects tagged with 'vyprvpn' like this:
And finally, create a security policy that blocks traffic to 'vyprvpn-group' on any app and any port.
EDIT: I assumed that the VyprVPN server was hosted by goldenfrog.com in my above instructions. You may need to do something similar for VyprVPN through giganews, ie: us1.vpn.giganews.com, but the concept is the same.
Also, I did a couple of quick tests.. VyprVPN on iOS is detected as "ciscovpn" and "ipsec-esp-udp" from an AppID perspective. Block those Apps to shut this down on that platform. On Windows, the VyprVPN "Chameleon" protocol is detected as "unknown-udp" and can also be blocked. In my lab, blocking unknown-udp prevented VyprVPN from establishing a Chameleon VPN tunnel without worrying about destination IP addresses.
