Re: VPN Blocking Best Practice
To block the VPNs, please set the category "Proxy" and the signatures "PPTP", "L2TP" and "ISAKMP" to Block. That should block most if not all the VPNs you can find.
As to how we try to cover all the VPNs, from our research, 80-90% of the common VPNs in the market use some forms of the OpenVPN protocol that our "OpenVPN" signature would block. For those that do not use the OpenVPN protocol, many share the same servers or API calls. This signature works for most of Android and Windows VPNs.
For iOS VPNs, because of strict restrictions by Apple that VPNs need to use PPTP, L2TP or IPSec (we name the signature ISAKMP), blocking those 3 signatures would block most of the VPNs on iOS.
The remaining VPNs that are not covered by the signatures above are covered by the other signatures in our Proxy category. We have our tools that monitor when these apps are updated and we update our signatures accordingly. We give special priority to certain very evasive VPNs like Ultrasurf, Psiphon, Hotspot Shield, Freegate, etc because they employ very complicated protocols to bypass firewalls.