PAN-OS K-12 Security App-ID URL Filtering Proxy Avoidance

Beating Student Proxy Sites Without Playing Whack-a-Mole

Proxy frameworks (Utopia, Lumi, Scramjet, Secured, Arsenic, Ultraviolet, Rammerhead, etc.) don’t win because they’re “new” — they win because they rotate domains faster than you can block them. This is a production pattern that breaks the engine instead of chasing the paint job.

The problem

K-12 environments are getting hammered with proxy sites. Block one, two more appear. URL filtering often struggles because these sites hide inside pages that look legitimate, and categorization is frequently wrong. Domain-based blocking becomes a treadmill.

Goal: Don’t chase domains. Make the proxy frameworks non-functional by preventing their core scaffolding from loading.

The shift: stop the engine, not the paint job

Many of these proxy sites are just different skins built on the same small set of JavaScript frameworks and “skeleton” resources: loaders, bundled assets, workers, handlers, and framework-specific paths that keep showing up across families.

If those core resources can’t load, the proxy can’t initialize — even if the page itself still opens.

The solution: custom Application + signatures

We built a custom Palo Alto Networks Application and a set of signatures matching those recurring framework resources. It took refinement (and yes, a couple early false positives that we corrected), but the end result has been solid.

Palo Alto custom application configuration named Proxy Avoidance with risk and characteristics selected.

Custom Application: Proxy Avoidance — aggregated detection across multiple student proxy frameworks.

Signatures list in Palo Alto showing multiple proxy-related signature names.

Signature set: per-framework “core” signatures plus a shared signature for common components.

What we match (examples)

Below are examples of signature logic matching recurring framework resources. The value is consistency: domains change constantly, but the scaffolding stays recognizable.

Signature conditions matching WISP-related scaffolding and bundled JavaScript resources.

proxy-wisp-core — WISP scaffolding paths (loader/bundle endpoints).

Signature conditions matching Utopia-related paths and JavaScript resources.

proxy-utopia-core — recurring Utopia resources observed across clones.

Signature conditions matching Scramjet packaged assets and worker/bundle resources.

proxy-scram-core — Scramjet packaged assets + worker/bundle resources.

Signature conditions matching Lumi-related framework bundle and handler endpoints.

proxy-lumi-core — Lumi framework bundle/handler endpoints.

Signature conditions matching Wordplus JavaScript resources such as loading and bundle files.

proxy-wordplus-core — Wordplus framework JS resources frequently reused.

Signature conditions matching Rammerhead dashboard and worker resources.

proxy-rammer-dashboard — Rammerhead dashboard + worker resources.

Signature conditions matching Secured framework JavaScript including messages and announcements.

proxy-secured-core — Secured framework JS resources observed across deployments.

Signature conditions matching shared WebSocket and common proxy framework paths.

proxy-ws-core — shared WebSocket + common framework paths (useful across families).

What “success” looks like

This approach doesn’t always produce a traditional block page — because we’re not necessarily blocking the site itself. Instead, the proxy becomes broken because the framework can’t initialize.

Takeaway: You can’t win Whack-a-Mole by chasing domains forever.
You win by identifying and disrupting the shared scaffolding those proxy frameworks depend on.

This post describes an operational pattern (“how to think”). Implementation details should be tested safely in your environment.