https://live.paloaltonetworks.com/t5/general-topics/ssl-traffic-mis-identified-as-tor/m-p/14779#M10856 <HTML><HEAD></HEAD><BODY><P>This could be due to either&nbsp; caching of the IP + dest Port&nbsp; for app: <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Bittorrent and TOR</SPAN> or session prediction .</P><P></P><P>1&gt;Check the traffic Logs for Dest:74.125.24.155and destination-port 443 to see if any SSL application was seen.&lt;&lt;--To gauge if there was any SSL sent to this destination.</P><P></P><P>2&gt; Check if there are any Predict sessions:</P><P>&gt;show session all filter destination 74.125.24.155 destination-port 443 type predict</P><P></P><P>3&gt;To clear the prediction:</P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">&gt;clear session all filter destination 74.125.24.155 destination-port 443 type predict</SPAN></P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">4&gt;Check the status of </SPAN>appid<SPAN style="font-size: 10pt; line-height: 1.5em;"> cache.</SPAN></P><P></P><P>&gt; show running application setting</P><P>Application setting:</P><P>==&gt;Application cache&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : yes</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">5&gt;If the app cache is yes, Try turning&nbsp; off the app cache :</SPAN></P><P>&gt; set application cache no</P><P></P><P>optional:To turn on&nbsp; app-cache </P><P>&gt; set application cache no</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Let me know if this helps.</SPAN></P><P></P><P>Regards,</P><P>Ameya</P></BODY></HTML> Mon, 27 May 2013 22:08:20 GMT UhMayYeah 2013-05-27T22:08:20Z https://live.paloaltonetworks.com/t5/general-topics/ssl-traffic-mis-identified-as-tor/m-p/14777#M10854 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Seeing over the last few days traffic going from our users (various different users in different locations) to IP addresses in Google's range (74.125.0.0/16) being identified as TOR, and subsequently blocked - traffic is all dest port 443.&nbsp; This is preventing access to certain websites hosted on Google's platform - appspot.com for example.</P><P></P><P>I assume Google is not running TOR nodes, and looking back over previous release notes I see PAN-OS has had trouble identifying TOR in the past.&nbsp; </P><P></P><P>(irrelevant fields removed):</P><TABLE><TBODY><TR><TD>Session ID&nbsp; </TD><TD> 3133462</TD></TR><TR><TD>Type&nbsp; </TD><TD> deny</TD></TR><TR><TD>Action&nbsp; </TD><TD> deny</TD></TR><TR><TD>Application&nbsp; </TD><TD> tor</TD></TR><TR><TD>Rule&nbsp; </TD><TD> Bittorrent and TOR</TD></TR><TR><TD>Category&nbsp; </TD><TD> web-advertisements</TD></TR><TR><TD>IP Protocol&nbsp; </TD><TD> tcp</TD></TR><TR><TD>Bytes&nbsp; </TD><TD> 2,665</TD></TR><TR><TD>Bytes Received&nbsp; </TD><TD> 2,119</TD></TR><TR><TD>Bytes Sent&nbsp; </TD><TD> 546</TD></TR><TR><TD>Repeat Count&nbsp; </TD><TD> 1</TD></TR><TR><TD>Packets&nbsp; </TD><TD> 9</TD></TR><TR><TD>Packets Received&nbsp; </TD><TD> 4</TD></TR><TR><TD>Packets Sent&nbsp; </TD><TD> 5</TD></TR><TR><TD>Source address&nbsp; </TD><TD> x.x.x.x</TD></TR><TR><TD>Source Port&nbsp; </TD><TD> 1342</TD></TR><TR><TD>Source Zone&nbsp; </TD><TD> trust</TD></TR><TR><TD>Destination address&nbsp; </TD><TD> 74.125.24.155</TD></TR><TR><TD>Destination Country&nbsp; </TD><TD> US</TD></TR><TR><TD>Destination Port&nbsp; </TD><TD> 443</TD></TR><TR><TD>Destination Zone&nbsp; </TD><TD> untrust</TD></TR></TBODY></TABLE><P></P><P>Anyone else seen this?</P><P></P><P>Liam.LL</P></BODY></HTML> Mon, 27 May 2013 14:29:35 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-traffic-mis-identified-as-tor/m-p/14777#M10854 LCMember2860 2013-05-27T14:29:35Z https://live.paloaltonetworks.com/t5/general-topics/ssl-traffic-mis-identified-as-tor/m-p/14778#M10855 <HTML><HEAD></HEAD><BODY><P>This is a&nbsp; Tor Brouser and usually used to<SPAN style="color: #444444; font-family: arial, sans-serif; font-size: small; background-color: #ffffff;"> safely browse the Internet. (anonymity over 443 port)</SPAN></P></BODY></HTML> Mon, 27 May 2013 21:50:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-traffic-mis-identified-as-tor/m-p/14778#M10855 Oleksandr 2013-05-27T21:50:09Z https://live.paloaltonetworks.com/t5/general-topics/ssl-traffic-mis-identified-as-tor/m-p/14779#M10856 <HTML><HEAD></HEAD><BODY><P>This could be due to either&nbsp; caching of the IP + dest Port&nbsp; for app: <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Bittorrent and TOR</SPAN> or session prediction .</P><P></P><P>1&gt;Check the traffic Logs for Dest:74.125.24.155and destination-port 443 to see if any SSL application was seen.&lt;&lt;--To gauge if there was any SSL sent to this destination.</P><P></P><P>2&gt; Check if there are any Predict sessions:</P><P>&gt;show session all filter destination 74.125.24.155 destination-port 443 type predict</P><P></P><P>3&gt;To clear the prediction:</P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">&gt;clear session all filter destination 74.125.24.155 destination-port 443 type predict</SPAN></P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">4&gt;Check the status of </SPAN>appid<SPAN style="font-size: 10pt; line-height: 1.5em;"> cache.</SPAN></P><P></P><P>&gt; show running application setting</P><P>Application setting:</P><P>==&gt;Application cache&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : yes</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">5&gt;If the app cache is yes, Try turning&nbsp; off the app cache :</SPAN></P><P>&gt; set application cache no</P><P></P><P>optional:To turn on&nbsp; app-cache </P><P>&gt; set application cache no</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Let me know if this helps.</SPAN></P><P></P><P>Regards,</P><P>Ameya</P></BODY></HTML> Mon, 27 May 2013 22:08:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-traffic-mis-identified-as-tor/m-p/14779#M10856 UhMayYeah 2013-05-27T22:08:20Z