FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rtulsani_FTNT
Description
This document discusses the procedure to block proxy application UltraSurf Version 15.01 on the FortiGate.

Solution
Step 1: IPS-DB

Ensure that the IPS Signature definition running on the FortiGate is 6.677 and above as new Ultrasurf signatures have been added in IPS Definition.

For example:
FG80CM3911601580 # get sys stat
Version: FortiGate-80CM v5.2.3,build0670,150318 (GA)
Virus-DB: 26.00832(2015-07-19 22:12)
Extended DB: 26.00082(2015-06-17 23:12)
IPS-DB: 6.00677(2015-07-17 00:18)  <<<<< 6.677 or higher
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FG80CM3911601580
The following command can be executed in CLI to obtain the latest IPS definitions:
#execute update-now
Step 2: Application control profile

In the GUI, go to Security Profiles > Application Control >, select the Application Control Profile from the drop down list in top right hand corner > Application Overrides > Add Signatures (select the following signatures):
- Ultrasurf
- Ultrasurf_9.6 +
rtulsani_FD37299_tn_FD37299-1.jpg

Step 3: SSL Inspection

The new UltraSurf protocol is designed to mimic real legitimate SSL handshake and the false positive rates are too high without inspecting the session.  Thus, it requires deep inspection to work.

Without deep-inspection, the signature will not be able to block UltraSurf.

For example:
config firewall ssl-ssh-profile
edit "Deep-Inspection-1"
config ssl
set inspect-all deep-inspection
end
end
rtulsani_FD37299_tn_FD37299-2.jpg
Step 4 : Delete utmp folder

A computer running UltraSurf may have cached one UltraSurf server's IP address.  This can be cleaned by deleting the temporary folder "utmp" in the folder where the UltraSurf program is located, and the UltraSurf temporary files in "C:\Documents and Settings\your windows account\Local Settings\Temp".

The temporary file names are random; if unsure about which files in this folder are temporary UltraSurf files then it may be better to delete all files in the folder.
rtulsani_FD37299_tn_FD37299-3.jpg

Step 5: Flush DNS from the client machine

Flush the DNS from the PCs using the following command:
c\>ipconfig/flushdns
rtulsani_FD37299_tn_FD37299-4.jpg

These signatures detect some DNS queries. If an internal DNS server is being used, it will be necessary to apply them in the policy for the traffic from the computers running UltraSurf to the DNS server.

Verify whether UltraSurf 15.01 is getting blocked

Connect to the Ultrasurf 15.01 server. After few minutes, the message on the application “Failed to connect to server” should be seen.
rtulsani_FD37299_tn_FD37299-5.jpg

In the GUI, go to Log & Report > Security Log > Application Control.
rtulsani_FD37299_tn_FD37299-6.jpg

Related Articles

Technical Note: How to block Ultrasurf Proxy in FortiOS 5.0 and 5.2

Contributors