This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sagar_Manandhar
Advisor
‎2017-09-10 09:12 PM
Jump to solution

How to block Psiphon anomolyser

Hi,

The Application filering is not blocking the Phisphon anomilyser. In the log the first IP is blocked and then application redirect to the 80 port. What can i do to block it. In this community the case was raise earlier but no solution.

I have attached the log

Thank you

Sagar Manandhar

Preview file
442 KB
Preview file
427 KB
Preview file
387 KB
0 Kudos
1 Solution

Accepted Solutions
Sagar_Manandhar
Advisor
‎2017-10-13 06:48 AM
In response to PhoneBoy
Jump to solution

Finally able to block the psiphon with the help of tac.

The procedure is :

-install the latest hotfix in both gateway and management (may or may not be required)

- Enable https inspection and generate the self sign certificate.

- generate self-signed certificate and install it on all PC of the network (Would be easy if Active Directory is in use)

- Make a Policy for https inspection with "https" and "http_and_https_proxy" with ACtion=Inspection

- Add url and application policy to block the category "support file sharing".

 

Note: the psiphon is block for only devices in which we install the self-sign certificate. 

 

Thanks,

Sagar Manandhar

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2017-09-10 10:49 PM
Jump to solution

It's like was said in Blocking Psiphon 3 R80.10‌, this is a fairly difficult anonymizer to block.

If you've followed the advice in the previous thread and you still see this traffic getting through, take packet captures of the relevant traffic and engage the TAC: Contact Support | Check Point Software 

Sagar_Manandhar
Advisor
‎2017-09-12 09:09 PM
In response to PhoneBoy
Jump to solution

sir,

i contacted tac but not getting the good response. every time i give the tac the remote session they only see the log and take the backup of the management and says that they will provide the hot-fix. And in every call they always say they are facing the similar problem from different other client and don't talk about the solution.

Thank you.

Sagar Manandhar

PhoneBoy
Admin
Admin
‎2017-09-12 09:33 PM
In response to Sagar_Manandhar
Jump to solution

Please send me a private message with the relevant support SRs, I’ll have someone look at them.

0 Kudos
Sagar_Manandhar
Advisor
‎2017-10-13 06:48 AM
In response to PhoneBoy
Jump to solution

Finally able to block the psiphon with the help of tac.

The procedure is :

-install the latest hotfix in both gateway and management (may or may not be required)

- Enable https inspection and generate the self sign certificate.

- generate self-signed certificate and install it on all PC of the network (Would be easy if Active Directory is in use)

- Make a Policy for https inspection with "https" and "http_and_https_proxy" with ACtion=Inspection

- Add url and application policy to block the category "support file sharing".

 

Note: the psiphon is block for only devices in which we install the self-sign certificate. 

 

Thanks,

Sagar Manandhar

Tibin
Explorer
‎2019-05-27 09:49 PM
In response to Sagar_Manandhar
Jump to solution

successfully block PSIPHON3 application we need to have HTTPS Inspection enabled on the gateway and the entire subnet in question should be subjected to HTTPS Inspection.

Enabling HTTPS inspection in a college environment is hard, because many are Mobile phone users. After installing the ssl certificate a warning message is showing- your device is monitoring a third party.  At the time of device implementation, we successfully blocked all the tunnelling application without enabling HTTPS inspections. But on the recent Application Blade database update, these applications started getting connected.

 

0 Kudos
Melissa_Clarke
Explorer
‎2017-11-05 11:01 AM
Jump to solution

If you want to block this application, you will must to block all VPN which are not yours. You may read about Psiphon for PC here or just follow the steps below to unblock the app:--

1. Enable DPI-SSL Client Inspection by going to DPI-SSL | Client SSL and selecting Enable SSL Client Inspection. Ensure that IPS, GAV, Spyware, and Application Firewall are selected.

2. Enable all Psiphon application signatures by going to Firewall | App Control Advanced. Select the category PROXY-ACCESS and application Psiphon. Configure the application to be blocked and logged.

3. Also block Encrypted Key Exchange TCP Random Traffic (SID 5).

4. Enable blocking of SSH app signature (SID 10097) "SSH -- Client Request Outbound", (or make access rule to block outbound TCP/22 SSH Service from LAN->WAN).

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events