Application control Wujie/UltraSurf

Hi

FireboxV 12.10.2

Starting from 19/4/24 i see application control wrongly identifying some Edge/Chrome traffic as Wujie/UltraSurf whick i block. At first it was not so muck traffic identified wrong but from the past weekend till today, it was so much many sites stopped working.

2024-04-29 14:17:12 Deny 1.2.3.4 194.156.210.87 https/tcp 52973 443 KaufmannFields External-ACL-21672 Application identified 1394 64 (HTTPS-proxy-Butikker-Out-00) proc_id="firewall" rc="101" msg_id="3000-0149" src_ip_nat="1.2.3.4" tcp_info="offset 5 A 1543469473 win 29445" app_id="9" app_name="Wujie/UltraSurf" app_cat_id="12" app_cat_name="Tunneling and proxy services" app_beh_id="1" app_beh_name="Authentication" action="AppControl.Butikker" sig_vers="18.312" src_user="x" geo_dst="DEU" Traffic

For a long time Microsoft active directory traffic has also been identified as Wujie/UltraSurf, but this i allowed as it was/is false/positive.

Anyone else seeing this issue?

Regards
Robert

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Robert_Vilhelmsen
    In general, application control being run on HTTPS traffic that is not being content inspected will be less accurate than traffic that is. Wujie/UltraSurf specifically tries to make its traffic appear as multiple other protocols (like https.) If you're seeing false positives for this via HTTPS, I'd suggest trying with content inspection turned on.

    If you continue running into this, I would suggest opening a support case. We can get a packet capture of the false positive and work on improving the signature in a future release.

    -James Carson
    WatchGuard Customer Support

  • Hi @james.carson

    This is with content inspection turned on in https proxy policies and i do sd-wan from all my remote sites through these proxy policies and i´l see this from every remote location.

    Of cause i do not have content inspection turned on on my AD polices so a false positive here is okay, but with the rate of detections in https proxies is odd. Seems it started around 19/4, maybe with signature version 18.310. Application control and intrusion prevention service update history is empty in FSM even though the firebox has not been rebooted for quite some time.

    /Robert

  • This is still happening in pattern 18.322, which is the most current as of now. I had to allow this traffic to allow normal web surfing for my users. Otherwise they got intermittent connection reset errors using Chrome Version 126.0.6478.127 which is the latest build. It also happens using Edge Version 126.0.2592.81 (latest build available). It doesn't seem to affect all websites, but https://finance.yahoo.com/ is one that triggers the app identification error consistently.

Sign In to comment.