Here are some considerations that you need to take to troubleshoot and improve your VPN blocking rules:

1. ensure that your firewall's application signatures are up to date. VPN applications may frequently update their protocols to bypass firewalls, so it is recommended to always update to the latest.
2. Make sure that your VPN blocking rule is placed correctly in the rule hierarchy. Usually, rules are processed from top to bottom so you need to confirm that the denial rule is above any of the rules that is allowed
3. Enable logging on your denial rule and monitor the logs for traffic that matches the criteria to help you identify whether certain VPN traffic is denied or not.
4. check if the ports and protocols of the specific VPNs you are blocking is correct.
   - enable SSL/TLS inspection on your firewall to help identify and block VPN traffic that is encrypted
   - use deep packet inspection to inspect contents of the packet and to identify VPN traffic based on the data payload
   - implement user authentication in your firewall (if supported), so you can tie VPN blocking rules to specific user accounts
   - apply application control policies to block or limit the use of certain applications, including VPNs
   - ensure blocking the rules accounted for specific services of browser based VPNs

While you've tried blocking VPNs with denial rules, consider a multi-layered approach for stronger defense. Enable DPI on your NGAF 5300-I to identify and block VPN traffic patterns. Utilize application control to block known VPN apps by name or signature. Block access to known VPN provider's DNS servers to prevent domain resolution. As a last resort, consider blocking common VPN ports like UDP 1194, TCP 443, and UDP 53. Remember, fine-tuning rules and monitoring logs are key for success. Hope this helps

For your information, Sangfor NGAF's main objective is to prevent and block cyber security events. It's important to note that browser-based VPNs typically employ encryption to create secure tunnels for traffic, which poses a challenge for conventional security measures to inspect and identify VPN usage. Additionally, these VPNs often rotate IP addresses, making it challenging for security systems to maintain an updated blacklist of VPN server IPs. Consequently, NGAF may face limitations in effectively blocking browser-based VPNs. Therefore it does not have the good blocking proxy/VPN performance as Sangfor IAM.

1. Identify VPN Traffic:

Deep Packet Inspection (DPI): If your NGAF 5300-I supports Deep Packet Inspection (DPI), enable it to identify VPN traffic patterns within the data stream. DPI can analyze application data and protocols to recognize VPN usage.
Port Blocking: While not foolproof, blocking common VPN ports like OpenVPN (UDP 1194) and L2TP (UDP 1701) can help prevent some basic VPN connections. However, be aware that some VPNs can use different ports to bypass restrictions.
2. Application Control:

Application Identification: Many NGAF devices have application identification features. Use these to identify and block known VPN applications by name. Consult your NGAF documentation for specific instructions on application control.
3. DNS Filtering:

Block VPN DNS Requests: Some VPNs rely on specific DNS servers to function. You can try blocking known DNS servers associated with popular VPN providers. However, this method can be easily bypassed by users with technical knowledge.
4. Advanced Techniques (if applicable):

URL Filtering: If your NGAF supports URL filtering, you can block access to known VPN download websites. However, this requires maintaining an updated list of such websites.
Threat Intelligence Feeds: Some NGAF devices allow integrating threat intelligence feeds. These feeds can identify and block malicious VPN traffic based on real-time threat data.
Important Considerations:

False Positives: Blocking techniques can sometimes lead to false positives, blocking legitimate applications. Test your rules thoroughly to avoid unintended consequences.
User Needs: Consider if there are legitimate business needs for using VPNs. You might create exceptions for authorized users or implement a more granular control approach.
NGAF Model and Firmware: The specific configuration steps might vary depending on your NGAF 5300-I model and firmware version. Refer to the official Sangfor documentation for detailed instructions on applying these techniques to your device.
Here are some additional tips:

Consult Sangfor Support: If you're still having trouble blocking VPNs after implementing these techniques, consider contacting Sangfor support. They can provide further guidance and troubleshooting assistance specific to your NGAF model and configuration.
Stay Updated: VPN technologies and techniques evolve. Regularly update your NGAF device firmware and threat intelligence feeds (if applicable) to maintain effective blocking capabilities.

Check if the rule is set to block both incoming and outgoing VPN connections, and make sure it's applied to the right interfaces or zones where the VPN traffic is passing through.