Even though the PA firewalls is detecting the traffic is Ultrasurf, the application is still working.
I've got a security rule to block by application 'Ultrasurf', and we have SSL decryption as well.
Yeah, like @Hithead said the application wasn't allowed, your logs state the connection was reset once Palo was able to identify the traffic as Ultrssurf.
In most cases Palo will "allow" the traffic to pass, then an application shift occurs and once that shift happens the traffic is stopped.
How long was the total session (packets)? From your screen shot, to me 3 seconds wouldn't be long enough to really get passed your security policy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!