USG40

2»

All Replies

  • I tried on Windows and Android
    It still connected
    What to do?
    I'm ready to remotely connection to view my problem
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 2022
    How to update my signature?

    Config > licensing > signature update > IDP/AppPatrol tab

    I tested on Mobile with Android 12 the app is called Psiphon Pro think they did a good job of bypassing the firewall short from blocking all LAN to WAN that is.


  • I tried on Windows and Android
    It still connected
    What to do?
  • Hello Cooldia
    I'm waiting for your reply

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    edited August 2022
    Since Psiphon will try to go through these ports, QUIC(UDP port 443), SSH(TCP port 22)/DNS(TCP/UDP port 53)/HTTP(TCP port 80)/HTTPs(TCP port 443)
    So I doing couple test with Psiphon pro on Android 12 phone under ZyWALL110.
    Test case 1:
    Allow only HTTP(TCP port 80) from Android phone to Internet + App Patrol block Psiphon
    Result: Can block Psiphon

    Test case 2:
    Allow only HTTPs(TCP port 443) from Android phone to Internet + App Patrol block Psiphon + SSL inspection(block un-supported/untrusted cipher & inspection TLS 1.0/1.1/1.2)
    Result: Cannot block Psiphon. In App Patrol statistic the traffic is aware as SSL/TLS (Access).

    Test case 3:
    Allow only SSH(TCP port 22) from Android phone to Internet + App Patrol block Psiphon
    Result: Cannot block Psiphon. In App Patrol statistic the traffic is aware as Secure Shell (SSH) (Authentication).
    Test case 4:
    Allow only DNS(UDP port 53) from Android phone to Internet + App Patrol block Psiphon
    Result: Cannot block Psiphon. In App Patrol statistic the traffic is aware as DNS (Access).

    So here my thought,
    Lok like no effective way to block Psiphon with my ZyWALL110. 
    Although with the test case 1 can block it.
    But the main issue is, it not possible to block HTTPs port for Internet surfacing.

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    But might be possible by doing this

    https://community.zyxel.com/en/discussion/14061/ssl-tls-filtering-must-have-extension-server-name

    Since Psiphon gets around this by not having the extension server_name and by blocking traffic without this might stop Psiphon with limited outgoing ports rules.


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @joudeh1996,
    We are working on it, will keep update status in this thread.