03-21-2013 04:12 AM
Hi guys,
i create a rule to block Ultrasurf on top and a rule to allow any below it. but ultrasurf still can bypass. surprisingly once ultrasurf connected to its server, PAN unable to logged the traffic. No traffic looged in URL filtering, Threat and Traffic log.
this tested on 4.1.x to 5.0.x with the latest content definition.
anyone can share some experience?
tq.
03-21-2013 04:39 AM
can you replicate this issue with clearing all sessions and adding unkowsn tcp/udp to that rule ?
if this works then PA support has to check out for app update.
03-21-2013 07:27 AM
my first solution is clearing the session browser, but this only works temporary..
and currently im applying the same method like yours, create a block rule for unknown-tcp with port 443 ...this will block ultrasurf user from browsing any site but in the ultrasurf status is still 'succesfully connected'.
i just wonder how long PA going to update their Apps, ive been waiting for months for this issue. 
03-21-2013 07:31 AM
we have opened a case for this before.After a while they fixed it with an app version.But I did not test it nowadays.
I'll test it with last version.What is the version of ultrasurf you are using ?
04-01-2013 01:36 PM
Did you have enabled SSL-termination (SS-decrypt)?
Which appid does your PA identify this session with?
As debug enable both "log on session start" AND "log on session end" for all rules.
04-04-2013 08:05 PM
i just use 2 simple rule for testing purpose
1.Block Ultrasurf
2.Allow Any
and
3.Enabled SSL decryption
in monitor
temp solution
im still waiting for PAN to update on this..:smileycry:
04-12-2013 05:33 PM
When ultrasurf updates to a new version, PAN only recognize the APP as ssl. What i've noticed though is that ultrasurf calls to TAIWAN(hi-net) network, a dynamic network. So what i did was i created a rule that blocks TAIWAN & unknown-tcp. Problem solved for Ultrasurf.
04-28-2013 08:09 PM
the rule to block unknown tcp for ultrasurf is a success.
but for high level/management views from all of my customers, they seems cant accept the the fact that PAN unable to block ultrasurf by using App-ID alone.
the ultrasurf v12 has been released since last year and yet still no update to block this thing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
