Technical Tip: Block Psiphon application

 ⚠ DISCLAIMER ⚠
Psiphon application is constantly being updated and therefore FortiGate blocks are a 'best-effort' practice, which means that a 100% blocking success rate is not guaranteed, this is due to multiple factors including new patterns, domains registered, proxy server IPs, etc.

Application updates may result in being able to bypass the FortiGate detection mechanisms, the FortiGuard team is tirelessly working to ensure that any new update is immediately met with a new signature update as well as quickly as possible in order to block these connection attempts.

In order to have an overview, visit this link: https://www.fortiguard.com/appcontrol/32642.

Step 1:
To make this solution work, it is necessary to enable Deep Packet Inspection, otherwise, the FortiGate will not be able to look beyond the certificate of the domain being used and be unable to identify the Psiphon application. For that, refer to this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-deep-inspection-and-import-a...

In the SSL/SSH Inspection profile, it is necessary to enable the setting 'Inspect all ports':

Step 2:

Configure the Application Control profile to block the 'Proxy' category (optional), 'Psiphon3' application (mandatory), and 'QUIC' application (mandatory):

Step 3 (optional):

Configure the Web Filter profile to block 'Proxy Avoidance' category:

Step 4:

Create the Firewall Policy with the above-mentioned profiles applied:

Step 5:

Try to connect with Psiphon on the end-user machine now, it should be unable to connect and in the FortiGate logs it should show the blocks successfully:

Note: If the application is able to successfully connect after some time, take into consideration the initial disclaimer of this technical tip article.