How can corporations prevent users from making connections via the FPN? The FPN bypasses some of our security controls when in use.
When the FPN is in use, our proxies no longer read the traffic and the thus no longer block based on category, or scan the downloads for malicious payloads. Is there a DNS entry, or URL we can block on the proxy before the FPN connection is made, that will prevent the FPN from working? If we do make such a block, perhaps towards "firefox.*.cloudflareclient.com", will that affect other aspects of FF from working?
All Replies (2)
Hi kevin57, I don't see any articles on this yet.
For the browser extension, which proxies via Cloudflare, have you tried disabling DNS over HTTPS to see whether that changes its behavior?
Note that the canary domain does not block "user configured" DNS over HTTPS. (See https://support.mozilla.org/questions/1279834) I don't know whether the FPN extension's use of DoH is considered user configured.
Thanks for the reply but FF isn't managed it's merely tolerated in the network. Even with no administrator rights, users place it on the computers and use it. With this latest feature, we may have to remove it from the network unless we can block it (FPN) outside of configuring FF itself.