Overview

This article describe the recommended CLI settings for the application filter in order to better detect and block critical and evasive applications such as Psiphon, Tor Proxy (Tor Browser), Torrent, Ultrasurf, HotSpot Shield, etc.

The following sections are covered:

• What to do

Applies to the following Sophos products and versions
Sophos Firewall and Cyberoam

What to do

CLI settings

1. Sign in to the Sophos XG Firewall's console and select 4. Device Console.
2. Verify the current configuration by issuing the following commands.
   show advanced-firewall
show ips-settings
3. Issue the following commands for the recommended settings.
   set advanced-firewall midstream-connection-pickup off
set ips maxsesbytes-settings update 0
set ips maxpkts 80
set ips packet-streaming on
   
   
   
   
   

GUI settings

Application filter policy settings

Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.

• DNS Multiple QNAME
• OpenVPN
• QUIC
• Non-SSL/TLS traffic on port 443

Firewall rule settings

The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.

For Psiphon Proxy

V17.5 and prior deployments

CLI + GUI Settings.

1. In v17.5, HTTPS scanning needs to be enabled in firewall rule.
2. Web filter policy with below categories denied must be applied to the concerned firewall rule.
   1. IPAddress
   2. None
   3. Parked Domains
   4. Spam URLs (Available only in XG)
   5. Anonymizers
   6. Spyware & Malware
   7. Uncategorized
3. Custom Web Filter categories should be also verified and keywords should not be allowed for well-known domains such as yahoo, microsoft, google, twitter, wikipedia, skype, facebook, bing etc.
4. Block Invalid Certificates must be enabled in SFOS and Allow Invalid Certificates should be disabled in CROS.
5. Allow only HTTPS, HTTP, DNS, ICMP, SMPT. Services on LAN→WAN; if Psiphon is connected even after following all steps then it's highly possible that other port's traffic is passing through other firewall rules (One can allow 1025 to 65535 Ports).
   
   a) For Example, primary rule should have only limited services allowed.
   
   
   
   b) And the rule below the primary rule should 'deny' traffic for port range 1 to 1024 (Registered Ports), for same source machines.
   
   
   
   
   
6. Block Non-SSL/TLS traffic on port 443 application on concern application filter policy.
7. After performing all above steps and psiphon is still getting connected then white list DNS rule by putting known DNS servers in Destination. (One can use, 8.8.8.8,4.2.2.2,8.8.4.4,9.9.9.9,1.0.0.1,1.1.1.1). This may help to avoid bug CLITE-790.

For V18 Deployments

1. SSL/TLS inspection should be enabled under SSL/TLS inspection settings and one decryption rule needs to be created based on firewall rules.
   
   
   
   
   
2. Block Invalid Certificates must be enabled in SFOS and Allow Invalid Certificates should be disabled in CROS.
3. Allow only HTTPS, HTTP, DNS, ICMP, SMPT. Services on LAN→WAN; if Psiphon is connected even after following all steps then it's highly possible that other port's traffic is passing through other firewall rules (One can allow 1025 to 65535 Ports).

For Hot Spot Shield Proxy

1. Enable HTTPS scanning.
2. Configure all CLI and GUI settings.
3. Enable option in Web > General Settings > Block unrecognized SSL protocols.
4. Enable option in Web > General Settings > Block invalid certificates.