We have a number of users that are using Psiphon to bypass our web filter and Wifi voucher system. Although the UTM has an application profile for Psiphon, it doesn't appear to work properly. For the locations that I know are using Psiphon, there is no traffic being logged under the application category. Instead, I am seeing tens of gigabytes of traffic being categorized as "Unauthorized Hotspot Client". My understanding is that "Unauthorized Hotspot Client" should only be logged when a user tries to go online but they don't have a valid wifi voucher, so need to enter the code.
Looking at the packet logs, Psiphon appears to be tunneling using port 53 (DNS) which the UTM seems to be allowing through weather they have a voucher or not. I obviously can't block port 53, and the UTM isn't categorizing the traffic properly either, so my only solution is to see which clients have excessive traffic being logged as "Unauthorized Hotspot Client" and blocking them by MAC.
Our ISP can identify the traffic, which is how we know it's Psiphon, so why can't the UTM? Is this a bug?
UTM Details:
SG 115
Firmware: 9.41.3-4
Pattern: 131447
This thread was automatically locked due to age.
