DescriptionMany organizations block access to particular web sites as part of their company policy. However, it is sometimes possible to bypass company browsing restrictions by using proxy avoidance applications. UltraSurf is one such application.
This article provides the steps to block UltraSurf through a security policy.
SolutionFortiOS v3.00 :
Using v3 firmware the latest UltraSurf versions cannot be blocked by the selection of the relevant IPS signatures. Only UltraSurf versions 8.7 to 9.5 can be blocked in this way. In order to block the latest UltraSurf versions a firmware upgrade to v4 should be considered.
UltraSurf traffic does not have a permanent structure and characteristics so it is not possible to create effective signature and behavioural detection. However, this can be achieved using the application control functionality that was introduced in v4 firmware.
FortiOS v4.00 and above :
Application control should be used in v4 firmware instead of IPS to block UltraSurf.
Steps
1. Go to UTM > Application Control > Create new list > Select type as Black List > Select Create New
2. Select Category proxy from the list and add UltraSurf and UltraSurf 9.6+ and Freegate.Searching, then select action block for each signature. It is important to add these three signatures to the list.
3. Edit the relevant protection profile(s) and edit Application control section. Enable Application Black/White List and select the previously created list.
General troubleshooting
1. Make sure the latest IPS signatures version is being used. In order to use UltraSurf 9.6+ signature the minimum signature version must be 2.851.
2. Clear all existing sessions on the firewall after having configured the new application control policy. A session will continue to work if it was established before the policy was enabled.
Run from CLI :
diagnose sys session clear |
or reboot the FortiGate.
Note: Although UltraSurf sometimes indicates it successfully connects to its server, the connection will be broken soon. The UltraSurf homepage may sometimes be shown. These are expected behaviors but the user should not be able to access other websites.
The UltraSurf software is constantly being updated and it is possible that future versions will not be blocked by the existing signatures. In this case please open a ticket with Fortinet Support and report the version that is being used, if possible provide traffic sniffer capture.
Related Articles
Technical Note : Blocking Ultra Surf using Application Control ultrasurf 9.6+ (IPS Engine DB 3.00049...