Operational Defect Database
BugZero found this defect 2664 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3U5SAI
Application Control does not block Psiphon3
Last update date:
2/1/2017
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
All
Description:
Issue
When you configure Application Control to block Psiphon3, the Firebox cannot block current versions of the Psiphon3 proxy. The Firebox also cannot block Psiphon3 if you block the entire Bypass Proxies and Tunnels category.
Workaround/Solution
To block Psiphon3: You must use the TCP-UDP proxy to handle outbound traffic.You must configure the TCP-UDP proxy action to use Application Control.You must set the TCP-UDP proxy action for Other Protocols to Deny.You must configure any HTTPS proxy action that handles outbound traffic to use Content Inspection.The Firebox must have a policy to deny DNS traffic on TCP port 53, and a second policy to allow DNS requests from your internal DNS server. If you must use an external DNS server, you must configure the policy to only allow requests to that specific server.The Firebox must have a policy to deny SSH traffic on TCP port 22. If you need any internal host to connect over SSH to an external host, you must add specific policies to allow this connection. To learn more about TCP-UDP proxy, see About the TCP-UDP-Proxy. To learn more about Application Control configuration, see About Application Control. To leran more about how to configure policies in your configuration, see Add Policies to Your Configuration.
