02-23-2014 08:38 AM
Hi,
I am suferring from many failed attempts trying to block ultrasurf. i added the application to a deny policy on the top of my policies, but users keeps jumping to the allow policy. i tried to block unkown UDP/TCP apps, but it failed too. the applcation itself can't be blocked even though i blocked all the dependecies. i tried to do it on 5050 and 5060 on both PAN 5.0.11 and PAN-OS 6.0 with the most updated licenses.can some one help. i guess it's considered a huge problem
03-04-2014 09:28 AM
My suggestion for all evasive apps like Ulrtrasurf, Tor, etc. is to open a support case when you find failure to block reliably. These apps are constantly evolving to try and evade control (evasive!). Once you have a support case open upload packet captures of the evasive traffic )capture it locally in your network) to the case. In many cases we find interesting regional differences in the application's evasion tactics. Having packet captures from your particular location is almost always a great help in determining what the app developer has added to the mix to try to fly under the radar.
-Benjamin
03-04-2014 09:44 AM
Hello All,
I tested this on my firewall with latest App version (421) and it is being denied.
Regards,
Hari Yadavalli
03-04-2014 11:41 AM
for the time being we blocked the proxies as follow :
1-ssl decryption
2-block unknown App
3-block unknown url's
plus the app policy to deny the proxy software
03-04-2014 11:52 AM
try the following for TOR:
1- Enable SSl decryption if you don't want create a policy with SSL as application and in the url profile block the unknown sites.
2-second policy to block TOR by deny application
3-block the unknown App also
03-04-2014 03:55 PM
you should also set block on SSL sessions which can't be decrypted (in decryption profile). Ultrasurf makes use of unsupported/unexisting SSL protocol options.
03-04-2014 06:20 PM
for some weird reasons, Ultrasurf 13.04 still passes thru even though the app is being discarded.
03-04-2014 11:29 PM
There is a inconsistency.Sometimes it is blocking.This is the case.
03-05-2014 09:34 PM
That's right, the application gets "discarded" however it calls for other apps like SSL to get thru. Hope PAN team can fix this asap.
03-17-2014 11:56 AM
Hi Kali,
when it shows SSL, is it being decrypted ? what are subsequent apps being seen ?
03-23-2014 06:42 PM
Decrypted yes, and i have positioned url's that needs to be checked (proxy and other evading type url's/apps). As per command line, it shows Ultrasurf and SSL "only", although Ultrasurf is being blocked, SSL still finds it's way to connect to other proxies.
Now for testing purposes. i created a decyption rule to block "ANY", and this time Ultrasurf is being blocked totally. It simply means that PAN should take a look at what other URL categories this software tries to connect to (and to what country/ip block/subnet/proxy server). The older version of Ultrasurf only connects to Taiwan (Hi-net ip block) and during that time, blocking TW would work but now, it seems Ultrasurf calls / connects to the US (I'm seeing Amazon Networks) and other Ip blocks outside Taiwan and China.
03-24-2014 10:32 AM
Decryption is the key, it should always apply on any category and block sessions which cannot be decrypted (add exceptions to banking and governement sites + to few applications that don't support it).
If you don't decrypt, there is no point in trying to block evasion applications.
There are some Tor/Ultrasurlf app providers which change their URLs everyday. Some of them are just providing a plain old openvpn client thats runs over SSL (boxpn for example).
I used to make filtering policies that were hard (if not impossible) to escape by my users with PAN products. SSL decryption is the key with an adapted AppID policy.
03-26-2014 12:29 AM
As per PAN support & Partners, they are already working on this round the clock to identify this new version properly.
03-26-2014 09:49 AM
If you don't decrypt all categories then you're missing a point : URL category is a lagging tool : a new domain will be identified as running proxies only after a few days. Commercial applications which propose to change domains every day / weeks will still go through.
If URL category was enough to flag applications/uses, PANW would not have invented AppID in the first place. URL category have been hire for 15 years and never solved anything...
03-27-2014 12:31 AM
Decrypting all categories, yes that worked, however most applications won't work then (yahoo messenger app don't load <<example), which will need some adjustments / tweaking then. anyway testing is still on-going and will update this thread once i find the right settings.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
