Solved: Re: BLOCK PSIPHON VPN

vishnukanth · ‎2025-12-18

BLOCK PSIPHON VPN

I am trying to block Psiphon VPN on a Check Point firewall, but I am facing an issue.

I first attempted to block Psiphon using Application Control & URL Filtering.
The rule shows Drop logs, however Psiphon VPN continues to work at the user end.

Next, I enabled HTTPS Inspection and applied a block policy.
The logs show traffic as Inspected, but Psiphon VPN is still able to connect successfully.

I think that Psiphon VPN is bypassing the Check Point firewall, even though the logs indicate the traffic is being dropped/inspected.

Could anyone please advise on this,

Is there a recommended or proven method to block Psiphon VPN on Check Point?

Is this a known limitation, and should this be raised with Check Point TAC?

Any inputs or best-practice recommendations would be greatly appreciated.

PhoneBoy · ‎2025-12-19

I assume R81.20, then?
From recent TAC cases, it seems others are experiencing similar issues.
Problems blocking this app have been reported several times over the last few years.
Suggest opening a TAC case so we can investigate further.

View solution in original post

Chris_Atkinson · ‎2025-12-19

We are missing some detail for us to be able to help effectively:

- What additional blades are enabled?

- What does the access policy look like for outbound traffic including things like SSH, QUIC etc?

- What version/JHF is the gateway?

CCSM R77/R80/ELITE

vishnukanth · ‎2025-12-19

Hi Chris,

1 the enabled blades are firewall,IPSEC VPN,Mobile access,APCL & URLF,Monitoring and we did the https inspection

2 the outbound traffic including things like 80,443,53 and we blocked the QUIC protocol

3 Next we created a HTTPS inspection rule with any services & default services and set the rule to inspect but still its working perfectly.

4 Gateways are installed with JHF T119

PhoneBoy · ‎2025-12-19

I assume R81.20, then?
From recent TAC cases, it seems others are experiencing similar issues.
Problems blocking this app have been reported several times over the last few years.
Suggest opening a TAC case so we can investigate further.

Vincent_Bacher · ‎2025-12-19

Independent of your special use case, there is an old thread apparently discussing same topic:

Solved: Block Psiphon 2023 - Check Point CheckMates

Solution was an offline package to update the Psiphon signature. Maybe it fits to your case, then contacting TAC would be a good idea.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock · ‎2025-12-19

Is this what you used?

Best,
Andy
"Have a great day and if its not, change it"

vishnukanth · ‎2025-12-19

yes this is the application Iam trying to Block

the_rock · ‎2025-12-19

Another thing I would try is also add custom app group and include *psiphon* in it and see if that works by blocking it.

Best,
Andy
"Have a great day and if its not, change it"

vishnukanth · ‎2025-12-19

Hi Rock,

I tried with custom application group,URL, categories as well.. but still its same

I cant able to block this Application with the CP firewall

the_rock · ‎2025-12-20

Do you have https inspection enabled? Nm, I see you do...I would open TAC case and see what they say.

Best,
Andy
"Have a great day and if its not, change it"

vishnukanth · ‎2025-12-20

yes I have enabled the HTTPS INSPECTION! and the VPN is not blocked by CP firewall.

Are you a member of CheckMates?

BLOCK PSIPHON VPN