https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ultrasurf-18-02/m-p/215542#M337 <P>Hi, I´m getting some trouble trying to block ultrasurf. First i blocked it with App-ID and everything was ok, until some users of the internal network downloaded a new version to avoid URL-filtering.</P><P>&nbsp;</P><P>Summary of log</P><P>Application:SSL</P><P>Category:Unknown</P><P>NAT Port: 443</P><P>IP protocol: tcp</P><P>&nbsp;</P><P>I can´t block SSL or Unknown category because we have an active GlobalProtect VPN,&nbsp; our exchange server and our DVR´s share the same category.</P><P>The traffic is detected as Suspicious TLS Evasion found, is using the same ID (threatid eq 14978) our exchange Active Sync server is using and we can´t lose that service. Is there any other way of block it using palo alto? I was thinking in using QoS but that would affect our GlobalProtect users, they often need to transfer big files to the internal network.</P><P>&nbsp;</P><P>Best Regards</P> Fri, 25 May 2018 23:02:29 GMT Sanoviv_Medicis 2018-05-25T23:02:29Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ultrasurf-18-02/m-p/215542#M337 <P>Hi, I´m getting some trouble trying to block ultrasurf. First i blocked it with App-ID and everything was ok, until some users of the internal network downloaded a new version to avoid URL-filtering.</P><P>&nbsp;</P><P>Summary of log</P><P>Application:SSL</P><P>Category:Unknown</P><P>NAT Port: 443</P><P>IP protocol: tcp</P><P>&nbsp;</P><P>I can´t block SSL or Unknown category because we have an active GlobalProtect VPN,&nbsp; our exchange server and our DVR´s share the same category.</P><P>The traffic is detected as Suspicious TLS Evasion found, is using the same ID (threatid eq 14978) our exchange Active Sync server is using and we can´t lose that service. Is there any other way of block it using palo alto? I was thinking in using QoS but that would affect our GlobalProtect users, they often need to transfer big files to the internal network.</P><P>&nbsp;</P><P>Best Regards</P> Fri, 25 May 2018 23:02:29 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ultrasurf-18-02/m-p/215542#M337 Sanoviv_Medicis 2018-05-25T23:02:29Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ultrasurf-18-02/m-p/216131#M342 <P>Please open a case with Support, we can work with our developers to ensure that our App-ID signature is updated.</P> Thu, 31 May 2018 16:29:46 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ultrasurf-18-02/m-p/216131#M342 mivaldi 2018-05-31T16:29:46Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ultrasurf-18-02/m-p/223611#M366 <P>I found another way to block it. In the domain controller, at group policy managment in software restriction Policies had to block a RND extension. Ultrasurf create a PUTTY.RND in the profile of the user in C:\Users\USERNAME . If you block that file the program stop working.</P> Thu, 26 Jul 2018 00:23:19 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ultrasurf-18-02/m-p/223611#M366 Sanoviv_Medicis 2018-07-26T00:23:19Z