Description
Solution
This document discusses the procedure to block proxy application UltraSurf Version 15.01 on the FortiGate.
Solution
Step 1: IPS-DB
Ensure that the IPS Signature definition running on the FortiGate is 6.677 and above as new Ultrasurf signatures have been added in IPS Definition.
For example:
In the GUI, go to Security Profiles > Application Control >, select the Application Control Profile from the drop down list in top right hand corner > Application Overrides > Add Signatures (select the following signatures):
Step 3: SSL Inspection
The new UltraSurf protocol is designed to mimic real legitimate SSL handshake and the false positive rates are too high without inspecting the session. Thus, it requires deep inspection to work.
Without deep-inspection, the signature will not be able to block UltraSurf.
For example:
Step 4 : Delete utmp folder
A computer running UltraSurf may have cached one UltraSurf server's IP address. This can be cleaned by deleting the temporary folder "utmp" in the folder where the UltraSurf program is located, and the UltraSurf temporary files in "C:\Documents and Settings\your windows account\Local Settings\Temp".
The temporary file names are random; if unsure about which files in this folder are temporary UltraSurf files then it may be better to delete all files in the folder.
Step 5: Flush DNS from the client machine
Flush the DNS from the PCs using the following command:
These signatures detect some DNS queries. If an internal DNS server is being used, it will be necessary to apply them in the policy for the traffic from the computers running UltraSurf to the DNS server.
Verify whether UltraSurf 15.01 is getting blocked
Connect to the Ultrasurf 15.01 server. After few minutes, the message on the application “Failed to connect to server” should be seen.
In the GUI, go to Log & Report > Security Log > Application Control.
Ensure that the IPS Signature definition running on the FortiGate is 6.677 and above as new Ultrasurf signatures have been added in IPS Definition.
For example:
FG80CM3911601580 # get sys statThe following command can be executed in CLI to obtain the latest IPS definitions:
Version: FortiGate-80CM v5.2.3,build0670,150318 (GA)
Virus-DB: 26.00832(2015-07-19 22:12)
Extended DB: 26.00082(2015-06-17 23:12)
IPS-DB: 6.00677(2015-07-17 00:18) <<<<< 6.677 or higher
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FG80CM3911601580
#execute update-nowStep 2: Application control profile
In the GUI, go to Security Profiles > Application Control >, select the Application Control Profile from the drop down list in top right hand corner > Application Overrides > Add Signatures (select the following signatures):
- Ultrasurf
- Ultrasurf_9.6 +
Step 3: SSL Inspection
The new UltraSurf protocol is designed to mimic real legitimate SSL handshake and the false positive rates are too high without inspecting the session. Thus, it requires deep inspection to work.
Without deep-inspection, the signature will not be able to block UltraSurf.
For example:
config firewall ssl-ssh-profile
edit "Deep-Inspection-1"
config ssl
set inspect-all deep-inspection
end
end
A computer running UltraSurf may have cached one UltraSurf server's IP address. This can be cleaned by deleting the temporary folder "utmp" in the folder where the UltraSurf program is located, and the UltraSurf temporary files in "C:\Documents and Settings\your windows account\Local Settings\Temp".
The temporary file names are random; if unsure about which files in this folder are temporary UltraSurf files then it may be better to delete all files in the folder.
Step 5: Flush DNS from the client machine
Flush the DNS from the PCs using the following command:
c\>ipconfig/flushdns
These signatures detect some DNS queries. If an internal DNS server is being used, it will be necessary to apply them in the policy for the traffic from the computers running UltraSurf to the DNS server.
Verify whether UltraSurf 15.01 is getting blocked
Connect to the Ultrasurf 15.01 server. After few minutes, the message on the application “Failed to connect to server” should be seen.
In the GUI, go to Log & Report > Security Log > Application Control.
Related Articles
Technical Note: How to block Ultrasurf Proxy in FortiOS 5.0 and 5.2
