This document discusses the procedure to block proxy application UltraSurf Version 15.01 on the FortiGate.Solution
Step 1: IPS-DB
Ensure that the IPS Signature definition running on the FortiGate is 6.677 and above as new Ultrasurf signatures have been added in IPS Definition.
FG80CM3911601580 # get sys stat The following command can be executed in CLI to obtain the latest IPS definitions:
Version: FortiGate-80CM v5.2.3,build0670,150318 (GA)
Virus-DB: 26.00832(2015-07-19 22:12)
Extended DB: 26.00082(2015-06-17 23:12)
IPS-DB: 6.00677(2015-07-17 00:18) <<<<< 6.677 or higher
IPS-ETDB: 0.00000(2001-01-01 00:00)
#execute update-nowStep 2: Application control profile
In the GUI, go to Security Profiles > Application Control >, select the Application Control Profile from the drop down list in top right hand corner > Application Overrides > Add Signatures (select the following signatures):
- Ultrasurf_9.6 +
Step 3: SSL Inspection
The new UltraSurf protocol is designed to mimic real legitimate SSL handshake and the false positive rates are too high without inspecting the session. Thus, it requires deep inspection to work.
Without deep-inspection, the signature will not be able to block UltraSurf.
config firewall ssl-ssh-profileStep 4 : Delete utmp folder
set inspect-all deep-inspection
A computer running UltraSurf may have cached one UltraSurf server's IP address. This can be cleaned by deleting the temporary folder "utmp" in the folder where the UltraSurf program is located, and the UltraSurf temporary files in "C:\Documents and Settings\your windows account\Local Settings\Temp".
The temporary file names are random; if unsure about which files in this folder are temporary UltraSurf files then it may be better to delete all files in the folder.
Step 5: Flush DNS from the client machine
Flush the DNS from the PCs using the following command:
These signatures detect some DNS queries. If an internal DNS server is being used, it will be necessary to apply them in the policy for the traffic from the computers running UltraSurf to the DNS server.
Verify whether UltraSurf 15.01 is getting blocked
Connect to the Ultrasurf 15.01 server. After few minutes, the message on the application “Failed to connect to server” should be seen.
In the GUI, go to Log & Report > Security Log > Application Control.
Technical Note: How to block Ultrasurf Proxy in FortiOS 5.0 and 5.2