I am suferring from many failed attempts trying to block ultrasurf. i added the application to a deny policy on the top of my policies, but users keeps jumping to the allow policy. i tried to block unkown UDP/TCP apps, but it failed too. the applcation itself can't be blocked even though i blocked all the dependecies. i tried to do it on 5050 and 5060 on both PAN 5.0.11 and PAN-OS 6.0 with the most updated licenses.can some one help. i guess it's considered a huge problem
My suggestion for all evasive apps like Ulrtrasurf, Tor, etc. is to open a support case when you find failure to block reliably. These apps are constantly evolving to try and evade control (evasive!). Once you have a support case open upload packet captures of the evasive traffic )capture it locally in your network) to the case. In many cases we find interesting regional differences in the application's evasion tactics. Having packet captures from your particular location is almost always a great help in determining what the app developer has added to the mix to try to fly under the radar.
Decrypted yes, and i have positioned url's that needs to be checked (proxy and other evading type url's/apps). As per command line, it shows Ultrasurf and SSL "only", although Ultrasurf is being blocked, SSL still finds it's way to connect to other proxies.
Now for testing purposes. i created a decyption rule to block "ANY", and this time Ultrasurf is being blocked totally. It simply means that PAN should take a look at what other URL categories this software tries to connect to (and to what country/ip block/subnet/proxy server). The older version of Ultrasurf only connects to Taiwan (Hi-net ip block) and during that time, blocking TW would work but now, it seems Ultrasurf calls / connects to the US (I'm seeing Amazon Networks) and other Ip blocks outside Taiwan and China.
Decryption is the key, it should always apply on any category and block sessions which cannot be decrypted (add exceptions to banking and governement sites + to few applications that don't support it).
If you don't decrypt, there is no point in trying to block evasion applications.
There are some Tor/Ultrasurlf app providers which change their URLs everyday. Some of them are just providing a plain old openvpn client thats runs over SSL (boxpn for example).
I used to make filtering policies that were hard (if not impossible) to escape by my users with PAN products. SSL decryption is the key with an adapted AppID policy.
If you don't decrypt all categories then you're missing a point : URL category is a lagging tool : a new domain will be identified as running proxies only after a few days. Commercial applications which propose to change domains every day / weeks will still go through.
If URL category was enough to flag applications/uses, PANW would not have invented AppID in the first place. URL category have been hire for 15 years and never solved anything...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!