Hi All,
I have been trying to block psiphon3 vpn through PaloAlto’s default application psiphon but it doesn’t seem to have any effect.
I have found other options over the web where it mentioned turning on ssl decryption, and blocking http-proxy, ike, ipsec l2tp, ssh, ssh-tunnel but that’s not feasible as we have multiple ipsec tunnels.
Is there anyway that we can block this application without hampering our services?
Thank you in advance
What’s the app-id showing as in your traffic logs? If the security policy isn’t being triggered, it’s likely safe to assume it isn’t being tagged as psiphon3.
Anything encrypted cannot be inspected by the firewall. You’ll find a lot of times when decryption isn’t enabled, the firewall will make assumptions regarding what the traffic is based on segment headers (ports, ect) or the TLS SNI field… Which will lead to more generalized tagging like “SSL”. When the traffic is decrypted, the firewall reviews the traffic as a stream and will make dynamic adjustments to app-id as patterns in the payload match.
If the traffic isn’t being tagged correctly, then it’s likely encrypted without a means of decryption.
As others have said… Enabling SSL decryption (based on how much traffic is being processed by the profile, and what cipher suites are being used) can incur upwards of a 30-40% hit on maximum throughput for the interface. If you go this route make sure test it out ahead of time using a small scale group(shape usage similar to security policy by matching objects or IPs) or else you’ll likely encounter various issues in your live environment.
Other considerations include whether or not this is inbound (web to internal subnets for clarification) or outbound traffic that you are trying to filter. If it’s inbound, then can you shape your current security policies to be less broad? Same thing for outbound, can you create logical device groupings and tighten up policies based on actual usage needs? I’ve seen lots of people end up relying on the default intra and inter zone policies on this reddit, which would (barring the traffic triggering a policy ahead of it) allow for all web traffic hitting your web facing interface to be allowed without logging (or worse depending on zone assignments).
It’s hard to answer this question for you without understanding more of your environment. Are your legitimate connections to Ike/IPsec/etc. on the same zone as your internal user traffic? If not, you could make a decryption policy rule for your source internal user traffic zone(s), then block Ike/IPsec/everything else you listed from that internal user zone. There are some “gotchas” to be aware of. Firstly, decryption may eat up a lot of resources so be careful when implementing. Second, applications that once showed as SSL may shift and no longer be blocked/start getting blocked because the application is now different.
Unfortunately, without decryption palo won’t have any other way to know that traffic to the point it can be easily blocked. You can use no decrypt policy rules and allow security policies to allow your known good traffic/IPs as needed. KBs from Palo Alto below:
I wrote this a few years ago which goes over my process of trying to block this application. I wrote this probably around PANOS 8 or 8.1. So its probable the appid for psiphon has updated since then, so I wouldnt be surprised if its easier.
TLDR you need to start decrypting and then examine how the app works around that and potential block all unknown-tcp.