Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Victor
New Contributor III

Gpass

Anyone have any experience with Gpass. It is the Swiss army knife of proxy apps. It can utilize ultrasurf, tor, skype, and socks. Furthermore, users can map other applications beyond browsers to utilize it' s proxy services. I have had a call ticket in with Fortinet since the beginning of September and the IPS team has not posted since the middle of that month. It is a huge vector to block & I have my sympathies for the IPS developers, but as I said to them..." You sold me a web filtering service, so address this challenge." In the meantime, if any of you have encountered this app & had any success in crippling or slowing it down, I would appreciate the feedback. At present, tor & ultrasurf (with the exception of the new variant) have been addressed. I am running version 3.0 MR7. At present version 4 is not an option, but I suspect that it is an issue with that release as Fortinet would have very quickly informed me of that upgrade path to resolve the issue. Look forward to your comments. Victor
4 REPLIES 4
billp
Contributor

Frustrating. This a concern for me as well. My guess is that this problem will be solved when they are able to block the latest version of Ultrasurf. For what it' s worth, you can block the latest Ultrasurf if you do deep SSL scanning, but that' s a lot of overhead to just block one piece of malware. I imagine this would catch Gpass as well, although haven' t done any testing. I suspect they will need to add a checkbox to the next firmware that will detect improperly formed SSL sessions without having to activate deep SSL scanning for the entire box. I' ve seen other boxes do that (especially those designed for schools), and I would think it would catch a whole spectrum of proxy software. Bill

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Victor
New Contributor III

Bill: Gpass is far more then a tor or ultrasurf adjunct. Tor and the current ultrasurf signatures - with the exception of the latest Ultrasurf - will kill the gpass client if it is so configured. It is when it uses skype or socks that the real threat of this product comes to light. Furthermore, non-traditional internet apps (ie. outside of http & ftp) can be setup to interface with gpass and pass their data over a proxied port such as ftp, dns, https, etc. Gets very tricky to block it, & so far, Fortinet has not come up with a solution. Victor
billp
Contributor

Thanks. Just read up on this. This is probably a very tall order. Interesting to see if they can block this. Please post if/when you hear back. Seems like we' re heading down the road where we' ll need some type of AI to interpret packets and server logs to indicate evasive proxy/malware behavior like this. I think this is the approach Palo Alto Networks takes, but (at least when I evaluated) they were much more than Fortinet and were not as mature in other areas. This will be an area FTG will need to tackle to remain competitive, though. Bill

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Victor
New Contributor III

There is a new gpass signature. It works with application control in version 4x code. It works quite well, though in our environment still has the Skype option as Skype is an allowed application.
Labels
Top Kudoed Authors