Blocking Ultrasurf

In this recipe, you will use antivirus scanning and application control to block network users from downloading and using Ultrasurf. As mentioned in a recent SysAdmin Note, Ultrasurf is an application that is used to bypass firewalls and browse the Internet anonymously.

In order to complete the final part of this recipe, download Ultrasurf before any security scanning is applied to your Internet traffic.

1. Enabling AntiVirus and Application Control

Go to System > Config > Features and make sure both AntiVirus and Application Control are enabled. If necessary, Apply your changes.

 

2. Editing the default Application Control profile

Go to Security Profiles > Application Control and edit the default profile. Under Applications Override, select Add Signatures.

Search for ultrasurf. Select the signatures, then select Use Selected Signatures.


 

The signatures will be added to the list, with Action set to block. You will also need to block the signature Freegate.Searching.

If you want to include all proxy applications, you can also choose to block the entire Proxy category.

 

3. Adding AntiVirus and Application Control profiles to a security policy

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Under Security Profiles, enable both AntiVirus and Application Control and set both to use to default profiles. Set SSL/SSH Inspection to deep-inspection.

 

4. Updating your AntiVirus and IPS definitions  

Because Ultrasurf is constantly changing, it is recommended to update your AntiVirus and IPS definitions regularly, so that you can continue later versions of the application.

To set up regular updates, go to System > Config > FortiGuard and expand AV & IPS Download Options. Select an appropriate time for definitions to be downloaded.

You can also manually push an update by selecting Update Now.

 

5. Results

Attempt to browse to ultrasurf.us. The page will not load.

On your FortiGate, go to Log & Report > Traffic Log > Forward Traffic and filter for Destination IP: 65.49.14.131 (the IP of ultrasurf.us). Traffic to this destination was blocked by the FortiGate.

 

Attempt to download the Ultrasurf files from a third-party website, such as Download.com

The download will be blocked.

 

Attempt to use the copy of Ultrasurf you downloaded on your computer before starting this recipe. You will be unable to contact a server.

On your FortiGate, go to System > FortiView > Applications > 5 minutes, you will see that the FortiGate has blocked Ultrasurf.

 

For further reading, check out AntiVirus and Application control in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings.
This result may vary based on which browser is being used. In the example, Firefox version 40.0.3 was used.
You may have to exit Ultrasurf in order to connect to your FortiGate.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Trần Toàn

    I can not blocking ultrasuft 15.04, please help me!

    • Victoria Martin

      Hello,

      The application signature “Ultrasurf_9.6+” also includes signatures for Ultrasurf version 15.04. So first off, I would make sure that you have the most recent version of the Application Control signature database, by going to System > Config > FortiGuard, expanding AV & IPS Download Options, and selecting Update Now. You can also use the CLI command #execute update-now.

      Also, make sure you are using the deep-inspection profile for SSL inspection, as this is required for Application Control to work.

      Finally, if you are testing Ultrasurf, your computer may have cached one UltraSurf server’s IP
      address. This can be cleaned by deleting the temporary folder “utmp” in
      the folder where the UltraSurf program is located, and the UltraSurf
      temporary files in “C:Documents and Settingsyour windows accountLocal
      SettingsTemp”. For more information about this, there’s an article in the Knowledge Base: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37299

      I hope that helps!

  • Joaquin Alberto Sigales Granie

    try to send a quarantine a the user or IP with the ACL

  • Carlos Benitez

    I can blocking ultrasurf with deep-inspection because also blocks e.g: google! What can I do?