About Ghafar

@BPry whew, we never got the mobile subscription cause it was so expensive so that is good to know ... View more

After my discussions with palo alto TAC they have mentioned that we can configure the User ID on a single domain with other child domains only so we cannot integrate 2 completely different domains...     ... View more

It seems that you are struggling with blocking Proxy applications like Hotspot Shield but the major point here is that you can only ensure that all Hotspot shield attempts are blocked by enabling the SSL Decryption.   As you say the SSL Decryption is not possible on your network then the possibility of the user to bypass the Firewall is high because these Proxy applications like Hotspot shield users IKE, IPSEC, SSH, SSL to create encrypted tunnels which will completely bypass the filtering...   You may block Unknown-UDP / TCP and it will block a considerable amount of users but again these apps are trying to bypass the limitation using these ports which will be very difficult to block with a security policy....   Ports: 22, 53, 443, 80, 8080 and many mores or it will open ports....   Monitoring the logs will shows the App is blocked but in the other hand many attempts has already bypassed the firewall...   ... View more