Options

Application control Wujie/UltraSurf

Robert_VilhelmsenRobert_Vilhelmsen
in Firebox - Subscription Services

Hi

FireboxV 12.10.2

Starting from 19/4/24 i see application control wrongly identifying some Edge/Chrome traffic as Wujie/UltraSurf whick i block. At first it was not so muck traffic identified wrong but from the past weekend till today, it was so much many sites stopped working.

2024-04-29 14:17:12 Deny 1.2.3.4 194.156.210.87 https/tcp 52973 443 KaufmannFields External-ACL-21672 Application identified 1394 64 (HTTPS-proxy-Butikker-Out-00) proc_id="firewall" rc="101" msg_id="3000-0149" src_ip_nat="1.2.3.4" tcp_info="offset 5 A 1543469473 win 29445" app_id="9" app_name="Wujie/UltraSurf" app_cat_id="12" app_cat_name="Tunneling and proxy services" app_beh_id="1" app_beh_name="Authentication" action="AppControl.Butikker" sig_vers="18.312" src_user="x" geo_dst="DEU" Traffic

For a long time Microsoft active directory traffic has also been identified as Wujie/UltraSurf, but this i allowed as it was/is false/positive.

Anyone else seeing this issue?

Regards
Robert

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Robert_Vilhelmsen
    In general, application control being run on HTTPS traffic that is not being content inspected will be less accurate than traffic that is. Wujie/UltraSurf specifically tries to make its traffic appear as multiple other protocols (like https.) If you're seeing false positives for this via HTTPS, I'd suggest trying with content inspection turned on.

    If you continue running into this, I would suggest opening a support case. We can get a packet capture of the false positive and work on improving the signature in a future release.

    -James Carson
    WatchGuard Customer Support

  • Options
    Robert_VilhelmsenRobert_Vilhelmsen

    Hi @james.carson

    This is with content inspection turned on in https proxy policies and i do sd-wan from all my remote sites through these proxy policies and i´l see this from every remote location.

    Of cause i do not have content inspection turned on on my AD polices so a false positive here is okay, but with the rate of detections in https proxies is odd. Seems it started around 19/4, maybe with signature version 18.310. Application control and intrusion prevention service update history is empty in FSM even though the firebox has not been rebooted for quite some time.

    /Robert

Sign In to comment.