User Bypassing Application Control

Hi, Thank you! You' re right, my policy order was wrong, I activated the " Count" column and they were all in 0 bytes. I then moved them to the top and now I see counters working. I did it the GUI way, through Add Address - Geographic, selected country and then group them all in one IP Address Group. Then I added the LAN - WAN policy to block that IP group. But I think this is like " sealing an old and broken water pipe" , I' m covering a fissure and suddenly another one appears. I wonder if this user is using sort of proxy software or P2P, though they' re already blocked using the Application Control. I' m taking note of ports in order to see a pattern but now he' s using port 80 too. I can block IP' s from China, Taiwan, Korea, etc. but I' m not going to block IP' s from USA, Germany or Italy. Any tip? Regards,

Are you using the extended ips db? It may recognize additional applications. I understand you are not using AV (potential botnet connection blocking)? Is there a business need to allow users (this user) to connect to unknown services (ports) - i.e. other than http, https, ftp, ... ? Do you see a possibility to identify the user/PC and contact or visit him/her? On the other hand, many CDNs are using geographically distributed servers for certain services, even AV software updates, but also applications like teamviewer and others... can you provide some port numbers you have observed (and is it tcp or udp)?

Hi, I' m using the high-security profile of the IPS, where can I check for the extended IPS or is it the same? AV module is running with default profile too (I guess there' s no many settings I can modify in this module). CDN would be possible, but if any of the other users were using the same servers, under port 80, with bandwith less than 70 mb in only one session and with info related to some domains and their owners, but this user in particular is using for example, ports 3395, 4941,4614,1348 and 2686. It' s a good security practice to reduce access by protocol, I' ll try to do that change later at night, where nobody is connected. I have all devices identified with their username, we' d warn him but I think this is also a chance to learn to block and secure your network, that' s the only reason I feel thanked with this kind of users :lol: Regards,

ok, for ips:

  config ips global   set database extended  end  

You said you are using the latest version (5.2.0?) Is your AV profile flow-based in default mode (flow-scan-mode full) and the checkbox for blocking botnet connections is enabled? If not yet enabled, you should use at least certificate inspection in your webfilter profile. The ports appear quite random but the switch-back to known ports may provide an advantage in your investigation. If this is a messaging application or otherwise a p2p, the user needs to log on to a certain site/domain/server before he can establish a direct connection to someone else. If this is an SSL secured service, certificate inspection may provide you the domain he initially attempts to log on to and this is the first place to stop him. Whitelisting application ports / services is always a good idea. If anything is not working on standard ports, it is not too complicated to add an unintentionally blocked application afterwards. You may of course also add a shared traffic shaper 1k/1k in/out to all unknown applications in your app profile. This automatically keeps many users from using certain applications.

Yep, I' m using the latest version (5.2.0) and blocking botnet connections both in Application Control and AV module. I was using certificate-inspection but caused my users to constantly get errors in some https websites, so I decided to disable it (monitor). I changed my policies to only allow known and authorised protocols to my users, I' ll monitor this change during today and check if those weird connections are then blocked. Regards,