Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bmiranda
Staff
Staff

Created on ‎05-04-2023 08:10 AM Edited on ‎11-25-2024 02:02 AM By Moderator

Article Id 255232

Technical Tip: Block Psiphon application using the FortiGate

Description This article describes how to block Psiphon, and proxy applications for users trying to bypass FortiGate's content restriction policies.
Scope FortiOS 7.0 and later, Application Control.
Solution

Disclaimer:

Psiphon and proxy applications are constantly being updated and therefore FortiGate blocks are a 'best-effort' practice, which means that a 100% blocking success rate is not guaranteed, this is due to multiple factors including new patterns, domains registered, proxy server IPs, etc.

 

Application updates may result in being able to bypass the FortiGate detection mechanisms, the FortiGuard team is tirelessly working to ensure that any new update is immediately met with a new signature update as well as quickly as possible to block these connection attempts.

 

For an overview, visit this link: https://www.fortiguard.com/appcontrol/32642.

 

As a brief overview, the following steps will involve creating a Proxy-based Firewall Policy that has Deep Inspection, Application Control, and Web Filter Category Filtering:


Step 1:
To make this solution work, it is necessary to enable Deep Packet Inspection so that the FortiGate can scan any TLS-encrypted payloads used by Psiphon. Otherwise, FortiGate will not be able to look beyond the certificate of the domain being used and be unable to identify the Psiphon application. For that, refer to Technical Tip: How to enable deep inspection and import a certificate in the browser.

In the SSL/SSH Inspection profile, it is necessary to enable the setting 'Inspect all ports'. This allows the FortiGate to scan the traffic using the IPS Engine, which improves detection of TLS traffic (especially on non-standard ports) and allows Proxy-based Deep Inspection via WAD to function properly:

 
ssl inspection.png

 

Step 2:

Configure the Application Control profile (Security Profiles -> Application Control) to block the 'Proxy' category (optional), as well as the 'Psiphon' (aka 'Psiphon3'; mandatory) and 'QUIC' signatures (mandatory) in the Application and Filter Overrides section:

  

AppControl.png

Note:

  • This procedure is generally relevant for any proxy/VPN applications, so choose any available signatures for applications such as 'Turbo.VPN', 'Ultrasurf', 'Surf.VPN', and so forth. This article uses the 'Psiphon' application as an example.
  • Read the following article for steps on how to manually update the application control signatures if the proxy application signature are unavailable on the FortiGate but displayed on the FortiGuard website: Technical Tip : How To Upgrade Application Control Definitions Manually
  • If the application control signatures are up to date and the proxy application is not available then submit an Application Control Submission request at the following link: https://www.fortiguard.com/faq/appctrlsubmit

 

Step 3 (optional):

Configure the Web Filter profile to block the 'Proxy Avoidance' category:

 

WebFilter.png

 

Step 4:

Create a Proxy-mode Firewall Policy with the aforementioned profiles applied (Deep Inspection, Application Control, Web Filtering):

 

FirewallPolicy.png

 

Step 5:

Try to connect with Psiphon on the end-user machine now. It should be unable to connect and in the FortiGate logs, it should show the blocks successfully:

 

logs.png

Note: 

If the application can successfully connect after some time, take into consideration the initial disclaimer of this article.

 

Update:

Custom Application Control Signatures for Psiphon.

 

The following are custom Application Control Signatures that are helpful for specifically blocking the Psiphon application (see further below for usage suggestions):

 

#signature-1 (Psiphon.resume.client.tagone):

F-SBID( --name "Psiphon.resume.client.tagone"; --protocol tcp; --app_cat 6; --weight 20; --service ssl; --flow from_client; --seq =,1,relative; --data_size =517; --pattern "|1603010200010001fc0303|"; --context packet; --within 11,context; --pattern "|20|"; --context packet; --distance 32; --within 1; --pattern "|0000000000000000|"; --context packet; --pcre "/\x00\x23\x00[\x64-\xff]/"; --context packet; --tag set,tag.psi.resume.client.custom; --tag quiet; )

 

#signature-2 (Psiphon.resume.client.tagtwo):


F-SBID( --name "Psiphon.resume.client.tagtwo"; --protocol tcp; --app_cat 6; --weight 20; --service ssl; --flow from_client; --seq =,1,relative; --data_size <512; --pattern "|160301|"; --context packet; --within 3,context; --pattern "|01 00|"; --context packet; --distance 2; --within 2; --pattern !"|0000000000000000|"; --context packet; --pcre "/\x00\x23\x00[\x64-\xff]/"; --context packet; --tag set,tag.psi.resume.client.custom; --tag quiet; )

 

#signature-3 (Psiphon.resume.server.tag):


F-SBID( --name "Psiphon.resume.server.tag"; --protocol tcp; --app_cat 6; --weight 20; --service ssl; --flow from_server; --seq =,1,relative; --data_size >290; --data_size <440; --tag test,tag.psi.resume.client.custom; --pattern "|160303|"; --context packet; --within 3,context; --pattern "|02 00|"; --context packet; --distance 2; --within 2; --pattern "|20|"; --context packet; --distance 36; --within 1; --pattern "|c02f0000|"; --context packet; --distance 32; --within 4; --pattern "|000b0002010000230000|"; --context packet; --pattern "|160303|"; --context packet; --distance 0; --within 30; --pattern "|0400|"; --context packet; --distance 2; --within 2; --pattern "|1403030001011603030028|"; --context packet; --distance 100; --tag set,tag.psi.resume.server.varlength.custom; --tag quiet; )

#signature-4 (Psiphon.resume.test):


F-SBID( --name "Psiphon.resume.test"; --protocol tcp; --app_cat 6; --weight 20; --service ssl; --flow from_client; --seq >,298,relative; --seq <,519,relative; --data_size =51; --tag test,tag.psi.resume.server.varlength.custom; --pattern "|1403030001011603030028|"; --context packet; --within 11,context; )

 

For instructions regarding the creation of custom Application Control Signatures, refer to the following:

Technical Tip: How to apply and validate a custom application signature in FortiGate

Creating IPS and application control signatures

 

Usage: After creating the custom signatures, modify the Application Control profile from Step 2. Go to Application and Filter Overrides and add signature #4 with the Block action. Next, add a separate entry for signatures #1, #2, and #3 and set the Monitor action. These additional signatures will supplement the base Psiphon application as well as the QUIC application.

 

Custom_AppControl_Signatures.png

 

Additional Information regarding Psiphon network protocols:

Psiphon uses Obfuscated SSH (OSSH) which is an SSH mode with the addition of an obfuscation layer on top of the SSH handshake to defend against protocol fingerprinting. A description of the protocol can be found here: https://github.com/brl/obfuscated-openssh/blob/ca93a2c09cf0f6d2f80e7daca18a669045665a3b/README.obfus...

 

The basic idea of using obfuscation with SSH is to implement a local port forwarding technique over SSH to bypass security devices. Additionally, Psiphon uses QUIC over UDP port 22 and 554.

 

In addition to previous information, consider also blocking SSH and port 554 on the 'Application and Filter Override' this action prevents the opening of Psiphon.
8483
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.