topic Re: How to block Ultrasurf? in General Topics

How to block Ultrasurf?

afiq — Thu, 21 Mar 2013 11:12:39 GMT

Hi guys,

i create a rule to block Ultrasurf on top and a rule to allow any below it. but ultrasurf still can bypass. surprisingly once ultrasurf connected to its server, PAN unable to logged the traffic. No traffic looged in URL filtering, Threat and Traffic log.

this tested on 4.1.x to 5.0.x with the latest content definition.

anyone can share some experience?

tq.

Re: How to block Ultrasurf?

Retired Member — Thu, 21 Mar 2013 11:39:47 GMT

can you replicate this issue with clearing all sessions and adding unkowsn tcp/udp to that rule ?

if this works then PA support has to check out for app update.

Re: How to block Ultrasurf?

afiq — Thu, 21 Mar 2013 14:27:32 GMT

my first solution is clearing the session browser, but this only works temporary..

and currently im applying the same method like yours, create a block rule for unknown-tcp with port 443 ...this will block ultrasurf user from browsing any site but in the ultrasurf status is still 'succesfully connected'.

i just wonder how long PA going to update their Apps, ive been waiting for months for this issue.

Re: How to block Ultrasurf?

Retired Member — Thu, 21 Mar 2013 14:31:50 GMT

we have opened a case for this before.After a while they fixed it with an app version.But I did not test it nowadays.

I'll test it with last version.What is the version of ultrasurf you are using ?

Re: How to block Ultrasurf?

afiq — Thu, 21 Mar 2013 14:58:07 GMT

ive also opened a couple of ticket for this issue before...

im using ultrasurf 1210....this issue makes some of our customer starting to doubt with PA :smileysilly:

Re: How to block Ultrasurf?

mikand — Mon, 01 Apr 2013 20:36:13 GMT

Did you have enabled SSL-termination (SS-decrypt)?

Which appid does your PA identify this session with?

As debug enable both "log on session start" AND "log on session end" for all rules.

Re: How to block Ultrasurf?

afiq — Fri, 05 Apr 2013 03:05:52 GMT

i just use 2 simple rule for testing purpose

1.Block Ultrasurf

2.Allow Any

and

3.Enabled SSL decryption

in monitor

those app detected as Ultrasurf is blocked
443 decrypt as it should
and i can see some unknown-tcp and insufficient data
In URL log, some unknown category url can be seen

temp solution

create rule to block unknown-tcp with port 443
block Unknown URL category

im still waiting for PAN to update on this..:smileycry:

Re: How to block Ultrasurf?

Kali — Sat, 13 Apr 2013 00:33:53 GMT

When ultrasurf updates to a new version, PAN only recognize the APP as ssl. What i've noticed though is that ultrasurf calls to TAIWAN(hi-net) network, a dynamic network. So what i did was i created a rule that blocks TAIWAN & unknown-tcp. Problem solved for Ultrasurf.

Re: How to block Ultrasurf?

afiq — Mon, 29 Apr 2013 03:09:04 GMT

the rule to block unknown tcp for ultrasurf is a success.

but for high level/management views from all of my customers, they seems cant accept the the fact that PAN unable to block ultrasurf by using App-ID alone.

the ultrasurf v12 has been released since last year and yet still no update to block this thing.