Sophos UTM: Decommissioning of obsolete URL categorization services CFFS.Click here for important info.

Sophos Firewall : Application filter recommended settings for better application detection

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Table of Contents


This Recommended Read describes the Application filter recommended settings for CLI and GUI to block critical/evasive applications such as Psiphon, Tor Proxy (Tor Browser), Torrent, Ultrasurf, HotSpot Shield, etc.

CLI settings


  • Max Packet value must be at least 80
  • Max Session byte values must be 0
  • Packet Streaming must be ON

To verify the current configurations, you may login to Sophos Firewall Console and select 4. Device Console

show ips-settings

To set the following commands for the recommended settings, you may follow the below configurations

set ips maxpkts 80
set ips maxsesbytes-settings update 0
set ips packet-streaming ON

Advanced-Firewall Settings

  • Midstream Connection Pickup must be OFF

You may verify and set the the commands by following the commands below.

show advanced-firewall
set advanced-firewall midstream-connection-pickup off

GUI settings

Application filter policy settings

Along with "P2P" and "Proxy and Tunnel" category, applications listed below must be denied in the concerned  application filter policy. 

  • DNS Multiple QNAME
  • OpenVPN
  • QUIC
  • Non-SSL/TLS traffic on port 443

Firewall rule settings

Same application filter policy (as configured above) must be applied to "DNS Firewall rule" as well, if there’s any.

For Psiphon Proxy

1.SSL/TLS inspection should be enabled under SSL/TLS inspection settings and one decryption rule needs to be created based on firewall rules.

a. Action must be "Decrypt"

b.Profile is set to "Maximum Compatibility"

2. In firewall rule Legacy Proxy has to be "Disabled" (Web Policy = None).

3.Block Invalid Certificates (PROTECT>Web>General Settings>HTTPS decryption and scanning) must be enabled in SFOS.

4.Allow only HTTPS, HTTP, DNS, ICMP, SMPT. Services on LAN/WAN; if Psiphon is connected even after following all steps, then it's highly possible that other port's traffic is passing through other firewall rules (One can allow 1025 to 65535 Ports).

a. For example, the primary rule should have only limited services allowed.

b. And the rule below the primary rule should 'deny' traffic for port range 1 to 1024 (Registered Ports) for the same source machines.

Betternet VPN

To block Betternet VPN, We have to block Invalid Certificates (Which are usually used by Such Proxy applications). Perform the below steps to
reach out to set

  1. CLI + GUI Settings mentioned above.
  2. In SFOS UI> Rules and Policies > SSL/TLS Inspection Rules> Create a rule with Action "Don't Decrypt" and Profile as "Block Insecure SSL".
  3. Disable Default rule "Exclusions by website "

Hot Spot Shield Proxy

  1. Enable HTTPS scanning.
  2. Configure all CLI and GUI settings.
  3. Enable option in Web > General Settings > Block unrecognized SSL protocols.
  4. Enable option in Web > General Settings > Block invalid certificates.

Updated Disclaimer
[edited by: Erick Jan at 9:10 AM (GMT -7) on 17 Apr 2023]
Parents Reply Children