DotW: Blocking PSiphon 3

DotW: Blocking PSiphon 3

Created On 09/25/18 19:05 PM - Last Modified 07/18/19 20:12 PM


You've set up a safe and secure environment only to have an avoidance application circumvent the security measures you've set in place. One such application is Psiphon, and if you're looking to defeat it, you've come to the right place.


A new hot topic this week as community member VinceM was looking for a good way to block Psiphon and several of our members pitched in with creative ways to go about blocking this evasive application. 


psiphon 3 block


Psiphon is a tunneling application designed to circumvent censorship and filtering. It utilizes VPN, SSH and HTTP Proxy technologies to provide access to its users that would otherwise be impossible by security policy, for example. It will, however, not be able to provide any sort of security to its users, so allowing this application within your organization could potentially expose sensitive information to be leaked into unknown hands.


To block Psiphon, Palo Alto Networks has created an application that can be used in a blocking security policy to prevent these types of connections from bypassing your security. Additional to the application, enable SSL decryption and set to block unsupported cypher suites. The psiphon application in VPN mode behaves exactly like a regular IPsec VPN so this is why we can't block it by just blocking psiphon application in the security policy.


To block psiphon in non-VPN mode, you need to:

    1. Turn on ssl decryption

    2. Block ssh and psiphon




You must block the following applications with the newer version of the app:


  • http-proxy
  • ike
  • ipsec
  • l2tp
  • ssh
  • ssh-tunnel
  • unknown-tcp


But why stop at Psiphon? There are many avoidance applications out there with more being added as demand rises from users wanting to bypass restrictions. A good way to keep up with new applications is use of Application Filters and blocking applications based on behavior rather than manually adding each individual application to the security policy.


In the Objects tab, look for the Application Filters. Once you create a new AF group, you can select the behavior you would like to create a group for. In this case, the 'proxy' subcategory and the 'evasive' characteristic populates the application list with all  currently known avoidance applications. The cool thing here is that the AF group is automatically  updated each time a new application is added to the latest content package, which matches the chosen characteristics of the group. Automatic updating ensures your security policy is always up to date.


application filter


Follow the discussion here or take a look at the original How to Block the Psiphon Application article.





  • Print
  • Copy Link

Choose Language