How to block Ultrasurf?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to block Ultrasurf?

L1 Bithead

Hi guys,

i create a rule to block Ultrasurf on top and a rule to allow any below it. but ultrasurf still can bypass. surprisingly once ultrasurf connected to its server, PAN unable to logged the traffic. No traffic looged in URL filtering, Threat and Traffic log.

this tested on 4.1.x to 5.0.x with the latest content definition.

anyone can share some experience?

tq.

8 REPLIES 8

L6 Presenter

can you replicate this issue with clearing all sessions and adding unkowsn tcp/udp to that rule ?

if this works then PA support has to check out for app update.

my first solution is clearing the session browser, but this only works temporary..

and currently im applying the same method like yours, create a block rule for unknown-tcp with port 443 ...this will block ultrasurf user from browsing any site but in the ultrasurf status is still 'succesfully connected'.

i  just wonder how long PA going to update their Apps, ive been waiting for months for this issue. Smiley Sad

we have opened a case for this before.After a while they fixed it with an app version.But I did not test it nowadays.

I'll test it with last version.What is the version of ultrasurf you are using ?

L1 Bithead

ive also opened a couple of ticket for this issue before...

im using ultrasurf 1210....this issue makes some of our customer starting to doubt with PA :smileysilly:

Did you have enabled SSL-termination (SS-decrypt)?

Which appid does your PA identify this session with?

As debug enable both "log on session start" AND "log on session end" for all rules.

i just use 2 simple rule for testing purpose

1.Block Ultrasurf

2.Allow Any

and

3.Enabled SSL decryption

in monitor

  • those app detected as Ultrasurf is blocked
  • 443 decrypt as it should
  • and i can see some unknown-tcp and insufficient data
  • In URL log, some unknown category url can be seen

temp solution

  • create rule to block unknown-tcp with port 443
  • block Unknown URL category

im still waiting for PAN to update on this..:smileycry:

L2 Linker

When ultrasurf updates to a new version, PAN only recognize the APP as ssl. What i've noticed though is that ultrasurf calls to TAIWAN(hi-net) network, a dynamic network. So what i did was i created a rule that blocks TAIWAN & unknown-tcp. Problem solved for Ultrasurf. 

the rule to block unknown tcp for ultrasurf is a success.

but for high level/management views from all of my customers, they seems cant accept the the fact that PAN unable to block ultrasurf by using App-ID alone.

the ultrasurf v12 has been released since last year and yet still no update to block this thing. Smiley Sad

  • 6860 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!