Decryption is the key, it should always apply on any category and block sessions which cannot be decrypted (add exceptions to banking and governement sites + to few applications that don't support it). If you don't decrypt, there is no point in trying to block evasion applications. There are some Tor/Ultrasurlf app providers which change their URLs everyday. Some of them are just providing a plain old openvpn client thats runs over SSL (boxpn for example). I used to make filtering policies that were hard (if not impossible) to escape by my users with PAN products. SSL decryption is the key with an adapted AppID policy.
... View more