Block Ultrasurf without using DPI-SSL in SonicOS.

In the absence of SonicWall’s DPI-SSL configuration, which would be recommended, it is still possible to mostly block Ultrasurf and other Proxy Avoidance Applications, this does include Psiphon. Please note that this will not be 100% successful, and the applications still may occasionally be successful. In most of these successful connections, however, the connection performance is extremely impacting to the user experience. This performance will help to dissuade further use of the application in most cases.
Please note, again, this will not be 100% successful at blocking all connections all the time.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

1. Enable SonicWall’s SSL Control Service under Network |Firewall |SSL Control |Settings.  

     2. Apply SSL Control to the appropriate Zone for enforcement (Here applying to "Test-Zone")

     3.Restrict traffic in Access Rules to only required connections. Also, make sure that DNS is controlled to only trusted DNS Servers, all other communications are blocked.

      4. Use App Control Advance to restrict applications Google QUIC, DNS, SSH, and the entire category of Proxy-Access. Navigate to Policy |Security Services |App Control and search for required categories.       

•  App Category: Infrastructure >>App Name: Google Play

• App Category: Protocols | App Name: Quic

• App Category: Protocols | App Name: SSH Protocol

• App Category: Protocols | App Name: DNS Protocol

TIP: Please make sure that DNS is restricted to only trusted DNS server objections.

      5. Block the entire category of Proxy Access by navigating to Policy |Security Services |App Control, with Category as PROXY-ACCESS, Application as ALL and Viewed BY: CATEGORY.

   6. Navigating to Policy |Security services |Content Filter and Enable Enable Content Filtering Service.

   7. Block site categories for Hacking / Proxy Avoidance Systems & Not Rated by navigating to Object | Profile Objects | Content Filter | CFS Default Policy (Or any custom policy according to requirement).

•  Block Not RATED Category as well.

    Results:
    Ultrasurf may report that it connections, contacting server, or otherwise show that it is running, but it will continually time out and be virtually ineffective at running any traffic.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

1. Enable SonicWall’s SSL Control Service, and apply it to the appropriate Zone for enforcement.
   
   
2. Restrict traffic in Access Rules to only required connections. Also, make sure that DNS is controlled to only trusted DNS Servers, and all other communications are blocked.
   
3. Use App Control Advance to restrict applications Google QUIC, DNS, SSH, and the entire category of Proxy-Access.
   
   
   
   Please make sure that DNS is restricted to only trusted DNS server objections
   
   Please make sure to block the entire category of Proxy Access
4. Make sure to enable Content Filtering, and block site categories for Hacking / Proxy Avoidance Systems & Not Rated.
   
   
5. Make sure that HTTPS Content Filtering is enabled.
   

Results:
Ultrasurf may report that it connections, contacting server, or otherwise show that it is running, but it will continually time out and be virtually ineffective at running any traffic.