topic Re: Block Tor application traffic. in General Topics

Block Tor application traffic.

Yusuf_PA — Fri, 03 Jul 2020 18:33:16 GMT

We are planning to block Tor application traffic in our PA device , so do we need to write security policy in both the direction and also share the steps to block the traffic in Palo Alto device.

Thanks,

Yusuf

Re: Block Tor application traffic.

MP18 — Sat, 04 Jul 2020 04:47:48 GMT

@Yusuf_PA

It depends on traffic flow if traffic is initiated from the user inside the network then you only need to block the application in security

rule for traffic from inside to outside.

If you have some Internet facing servers and users access from Internet to access that and it is using port 443 then you need to block

the application in security rule from outside to inside.

Also you need to enable ssl decryption for this it is using port 443

Regards

Re: Block Tor application traffic.

Remo — Sat, 04 Jul 2020 20:39:54 GMT

Hi @MP18

"If you have some Internet facing servers and users access from Internet to access that and it is using port 443 then you need to block the application in security rule from outside to inside."

This sounds a little confusing. From external you probably won't detect traffic coming from TOT exit nodes or do you mean when there is a TOR node bebind the paloalto firewall that is publicly available?

Re: Block Tor application traffic.

Remo — Sat, 04 Jul 2020 20:42:16 GMT

Hi @Yusuf_PA

Some help about blocking TOR you can find here: https://live.paloaltonetworks.com/t5/featured-articles/how-to-block-tor-the-onion-router/ta-p/177648

Re: Block Tor application traffic.

Yusuf_PA — Sun, 05 Jul 2020 01:06:24 GMT

Thanks MP18 and Vsys_remo

I would like to know how to write policy from untrust to trust zone and what would be the source address.

Trust to untrust Zone

Thanks

Re: Block Tor application traffic.

MP18 — Sun, 05 Jul 2020 02:20:45 GMT

@Remo

do you mean when there is a TOR node behind the paloalto firewall that is publicly available?

Yes i mean this.

Re: Block Tor application traffic.

MP18 — Sun, 05 Jul 2020 02:28:47 GMT

@Yusuf_PA

Do you have any web servers which are public facing?

IF yes then you need security policy from untrust having source address as any to the public ip of web servers.

Source Zone Untrust

Destination Zone - Where your web servers reside.

Be careful when you do this as we do not know your environment.

Re: Block Tor application traffic.

Yusuf_PA — Sun, 05 Jul 2020 03:20:53 GMT

Thanks MP

While writing security policy from zone untrust to trust can we take source address EDL (External Dynamic List) instead of any.

The following web-server (https://panwdbl.appspot.com/lists/ettor.txt) contains a list of Tor exit nodes.

Re: Block Tor application traffic.

MP18 — Mon, 06 Jul 2020 13:34:07 GMT

@Yusuf_PA

Yes you can use the source address of EDL instead of any then destination address is whatever you want to protect in you network

like servers etc.

Regards

Re: Block Tor application traffic.

OtakarKlier — Mon, 06 Jul 2020 20:38:45 GMT

Hello,

Another thing I would add are additional policies that block on Application detection. That way if there are new TOR exit nodes and you dont have the changes, you'll still block the traffic.

Hope that helps.

Re: Block Tor application traffic.

Yusuf_PA — Sun, 19 Jul 2020 09:10:10 GMT

Thanks MP18,

I will try the same as you mentioned.