Hi all,
I have a XG 550. I would like to block VPN apps like X-VPN, UltraVPN or something like that.
I created an application filter policy following this guide https://community.sophos.com/kb/en-us/123108
I also block all proxy and VPN app listed in Application Filter Criteria.
But user still can use X-VPN to bypass the XG.
My XG running 16.05.8.
Please give me some advice.
Thank you.
Create an Application Filter policy with below details :
1. Block 'Proxy and Tunnel' category.
2. Block Category - Category = ALL except Proxy and Tunnel, Characteristics = Can bypass firewall policy.
3. Block 'DNS Multiple QNAME'.
Web Filter - Block Anonymizers, Peere-to-Peer on HTTP, HTTPS.
Create a Test rule on top for one machine and apply this. Keep on top of even DNS rule.
If it doesn't work, go to console and increase max packets to 100.
set ips maxpkts 100
Let us know if it works.
Thanks for your advice.
I did it but it won't help. It can block other VPN apps like FastVPN, UltraVPN but can't block X-VPN.
I see that X-VPN use 7 protocols. After adjusting the policy following your instruction, XG just block 2 of those 7. And then X-VPN connected with the 3rd protocol.
Hi,
I have been experimenting with my firewall rules.
You need a two pronged approach:-
1/. web filter rule - xvpn.io and x-vpn.io deny
2/. you need an application rule blocking proxy and tunnel as well as p2p sites.
If you need specifics I will copy my rules for you. Mind you I think I have broken neighbours work tunnel. I will build a new set application rues for my specific access.
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Hi guys, thank you for your all comments. Actually I opened a ticket support. There were at least 3 technical joined that ticket. Finally I received the best answer from the senior technical:
- We expect user machine having Sophos Secure certificate available and installed on user machine as this is require HTTPS scanning needs to be enable in firewall rule which is there and without this setting XG will not take action on application traffic.
For reference, please follow below KB article for adding certificate on user machine.
https://community.sophos.com/kb/en-us/123048
- Goto Protect > Web > Protection > Click on Advance and Enable below settings.
> Enable Pharming Protection.
> Block unrecognized SSL protocols.
It could help. But we must installed the certificate on all devices joining the network. Is it possible? And somehow that settings also made some troubles with other apps like Facebook or Whatsapp.
In general, it is impossible to block X-VPN in the simplest way by Blocking X-VPN category. And if you block X-VPN in any cost, some other apps will get issue.
Hey, so this method will basically look for anything sent in the headers. If there is anything in the headers to suggest it is a vpn it will be blocked. This method is essentially a man in the middle attack and will break most https sites if they have certificate pinning.
If it helps, x-Vpn is partly written in go and some of the files it “steals” it’s code from are from GitHub.
Are you aware of what other apps will have issues? As this is a corporate client I have to be careful what I am blocking!
They have VPN connections set up to access the server from 4 different locations and run a couple of different programs on it.
Thanks kindly!
Sophos XG (SFOS 17.1.3 MR-3) is NOT blocking a number of VPN apps including X-VPN and Psiphon so our students are able to bypass all firewall rules and web filters. Enabling "Decrypt & Scan HTTPS" does not make any difference either.
I came across this post recently and unpleasantly surprised that 5 months later Sophos has not developed updated application filters rendering the Sophos XG firewall useless in a school environment. I have raised a support ticket with Sophos and will post feedback once I hear back from them. I manage a number of Sophos firewalls for schools and think it's time to consider other options. Fortigate is looking increasingly good!!!
Thank you envercpt for your information. School environment is also exactly what i'm experiencing. Students always try to bypass the firewall.
I was creating a ticket support. The Sophos guy instructed me to do many many things and it looked block the X-VPN. But it also made difficult using other apps like whatsapp, facebook.
Anw, i'm looking forward from hearing the result from you.
Update: Been troubleshooting with Sophos support who say there are new IPS definitions but in order to block X-VPN and PSIPHON I have to enable Decrypt & Scan HTTPS. The problem with this "solution" is that we are a BYOD environment and installing the Sophos certificate on +2000 personal devices will be an administrative nightmare. In the interim, we have informed our students that we are aware of these attempts to circumvent the firewall rules and that spot checks will be done resulting in severe punitive measures.
