USG40

Options
2»

All Replies

  • joudeh1996
    joudeh1996 Posts: 8
    First Anniversary
    Options
    I tried on Windows and Android
    It still connected
    What to do?
    I'm ready to remotely connection to view my problem
  • PeterUK
    PeterUK Posts: 2,761  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2022
    Options
    joudeh1996 said:
    How to update my signature?

    Config > licensing > signature update > IDP/AppPatrol tab

    I tested on Mobile with Android 12 the app is called Psiphon Pro think they did a good job of bypassing the firewall short from blocking all LAN to WAN that is.


  • joudeh1996
    joudeh1996 Posts: 8
    First Anniversary
    Options
    I tried on Windows and Android
    It still connected
    What to do?
  • joudeh1996
    joudeh1996 Posts: 8
    First Anniversary
    Options
    Hello Cooldia
    I'm waiting for your reply

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2022
    Options
    Since Psiphon will try to go through these ports, QUIC(UDP port 443), SSH(TCP port 22)/DNS(TCP/UDP port 53)/HTTP(TCP port 80)/HTTPs(TCP port 443)
    So I doing couple test with Psiphon pro on Android 12 phone under ZyWALL110.
    Test case 1:
    Allow only HTTP(TCP port 80) from Android phone to Internet + App Patrol block Psiphon
    Result: Can block Psiphon

    Test case 2:
    Allow only HTTPs(TCP port 443) from Android phone to Internet + App Patrol block Psiphon + SSL inspection(block un-supported/untrusted cipher & inspection TLS 1.0/1.1/1.2)
    Result: Cannot block Psiphon. In App Patrol statistic the traffic is aware as SSL/TLS (Access).

    Test case 3:
    Allow only SSH(TCP port 22) from Android phone to Internet + App Patrol block Psiphon
    Result: Cannot block Psiphon. In App Patrol statistic the traffic is aware as Secure Shell (SSH) (Authentication).
    Test case 4:
    Allow only DNS(UDP port 53) from Android phone to Internet + App Patrol block Psiphon
    Result: Cannot block Psiphon. In App Patrol statistic the traffic is aware as DNS (Access).

    So here my thought,
    Lok like no effective way to block Psiphon with my ZyWALL110. 
    Although with the test case 1 can block it.
    But the main issue is, it not possible to block HTTPs port for Internet surfacing.

  • PeterUK
    PeterUK Posts: 2,761  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    But might be possible by doing this

    https://community.zyxel.com/en/discussion/14061/ssl-tls-filtering-must-have-extension-server-name

    Since Psiphon gets around this by not having the extension server_name and by blocking traffic without this might stop Psiphon with limited outgoing ports rules.


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,454  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @joudeh1996,
    We are working on it, will keep update status in this thread.


Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)