Ultrasurf again - still getting through, how to block?

Reply
L1 Bithead

Ultrasurf again - still getting through, how to block?

Hi, 

 

Even though the PA firewalls is detecting the traffic is Ultrasurf, the application is still working. 

 

I've got a security rule to block by application 'Ultrasurf', and we have SSL decryption as well. 

 

thanks

L1 Bithead

trafficlog.pngCan see the traffic log here.

L4 Transporter

first ssl and web-browsing allowed the traffic until ultrasurf could be detected...

 

i would suggest to block the url category proxy-avoidance-and-anonymizers

Cyber Elite

Yeah, like @Hithead said the application wasn't allowed, your logs state the connection was reset once Palo was able to identify the traffic as Ultrssurf.

 

In most cases Palo will "allow" the traffic to pass, then an application shift occurs and once that shift happens the traffic is stopped.

 

How long was the total session (packets)?  From your screen shot, to me 3 seconds wouldn't be long enough to really get passed your security policy.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!