How to block VPN apps?

Hi all,

I have a XG 550. I would like to block VPN apps like X-VPN, UltraVPN or something like that.
I created an application filter policy following this guide

I also block all proxy and VPN app listed in Application Filter Criteria.

But user still can use X-VPN to bypass the XG.
My XG running 16.05.8.

Please give me some advice.
Thank you.

  • In reply to The Do:

    Sophos XG (SFOS 17.1.3 MR-3) is NOT blocking a number of VPN apps including X-VPN and Psiphon so our students are able to bypass all firewall rules and web filters. Enabling "Decrypt & Scan HTTPS" does not make any difference either. 

    I came across this post recently and unpleasantly surprised that 5 months later Sophos has not developed updated application filters rendering the Sophos XG firewall useless in a school environment. I have raised a support ticket with Sophos and will post feedback once I hear back from them. I manage a number of Sophos firewalls for schools and think it's time to consider other options. Fortigate is looking increasingly good!!!

  • In reply to envercpt:

    Thank you envercpt for your information. School environment is also exactly what i'm experiencing. Students always try to bypass the firewall. 

    I was creating a ticket support. The Sophos guy instructed me to do many many things and it looked block the X-VPN. But it also made difficult using other apps like whatsapp, facebook. 
    Anw, i'm looking forward from hearing the result from you. 

  • In reply to The Do:

    In a corporate environment errant employees can be fired. Difficult to fire students ;-)

  • In reply to envercpt:

    Sophos Support response to the ticket I raised: "The matter currently is being investigated by our development team with the ID NC-33664."

  • In reply to envercpt:

    Glad to hear that. Thank envercpt. Hope they can figure it out. 

  • In reply to The Do:

    Update: Been troubleshooting with Sophos support who say there are new IPS definitions but in order to block X-VPN and PSIPHON I have to enable Decrypt & Scan HTTPS. The problem with this "solution" is that we are a BYOD environment and installing the Sophos certificate on +2000 personal devices will be an administrative nightmare. In the interim, we have informed our students that we are aware of these attempts to circumvent the firewall rules and that spot checks will be done resulting in severe punitive measures.