When a user uses Puffin Web Browser on a iOS or Android device, the ProxySG appliance rules or filters (blacklist/whitelist) do not work; that is, the user can bypass rules and access blocked sites. However, if you enable HTTPS interception (transparent proxy), or enable protocol detection (explicit proxy), on the ProxySG, Puffin Browser crashes. How do I block the Puffin browser?

In the example of active sessions above, the Puffin browser obtains a random IP address each time it connects to www.cloudmosa.com (CloudMosa developed Puffin Browser). The appliance cannot see URLs or destination origin content servers (OCSes), as it sends all traffic through SSL. 

If SSL interception is not enabled on the ProxySG appliance, you can block Puffin Browser by denying a server certificate object for "cloudmosa.com". Here is an example.

You can deny the server certificate object in either the Visual Policy Manager (VPM) or in the Content Policy Language (CPL).

Using the VPM

Perform the following steps:

1. In the Management Console, launch the VPM.
2. Create a new Web Access Layer, or edit an existing Web Access Layer.
3. Click Add rule, and specify the following:
   
   • Source: Select Any.
   • Destination: Select Set > New > Server certificate.
   • User host name: Enter cloudmosa.com and select Domain.
4. Click OK, and then click OK again.
5. Set action as Deny.
6. Click Install Policy.

Using the CPL

Add the following CPL:

<Proxy>
    DENY server.certificate.hostname=.cloudmosa.com