In this recipe, you will use antivirus scanning and application control to block network users from downloading and using Ultrasurf. As mentioned in a recent SysAdmin Note, Ultrasurf is an application that is used to bypass firewalls and browse the Internet anonymously.
In order to complete the final part of this recipe, download Ultrasurf before any security scanning is applied to your Internet traffic.
1. Enabling AntiVirus and Application Control |
|
|
Go to System > Config > Features and make sure both AntiVirus and Application Control are enabled. If necessary, Apply your changes. |
 |
2. Editing the default Application Control profile |
|
|
Go to Security Profiles > Application Control and edit the default profile. Under Applications Override, select Add Signatures. Search for ultrasurf. Select the signatures, then select Use Selected Signatures. |
 |
|
The signatures will be added to the list, with Action set to block. You will also need to block the signature Freegate.Searching. If you want to include all proxy applications, you can also choose to block the entire Proxy category. |
 |
3. Adding AntiVirus and Application Control profiles to a security policy |
|
|
Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Under Security Profiles, enable both AntiVirus and Application Control and set both to use to default profiles. Set SSL/SSH Inspection to deep-inspection. |
 |
4. Updating your AntiVirus and IPS definitions |
|
|
Because Ultrasurf is constantly changing, it is recommended to update your AntiVirus and IPS definitions regularly, so that you can continue later versions of the application. To set up regular updates, go to System > Config > FortiGuard and expand AV & IPS Download Options. Select an appropriate time for definitions to be downloaded. You can also manually push an update by selecting Update Now. |
 |
5. Results |
|
|
Attempt to browse to ultrasurf.us. The page will not load. On your FortiGate, go to Log & Report > Traffic Log > Forward Traffic and filter for Destination IP: 65.49.14.131 (the IP of ultrasurf.us). Traffic to this destination was blocked by the FortiGate. |
 |
|
Attempt to download the Ultrasurf files from a third-party website, such as Download.com. |
 |
|
Attempt to use the copy of Ultrasurf you downloaded on your computer before starting this recipe. You will be unable to contact a server. On your FortiGate, go to System > FortiView > Applications > 5 minutes, you will see that the FortiGate has blocked Ultrasurf. |
 |
For further reading, check out AntiVirus and Application control in the FortiOS 5.2 Handbook.
The post Blocking Ultrasurf appeared first on Fortinet Cookbook.