SSL traffic mis-identified as TOR

Reply
Highlighted
L2 Linker

SSL traffic mis-identified as TOR

Hi,

Seeing over the last few days traffic going from our users (various different users in different locations) to IP addresses in Google's range (74.125.0.0/16) being identified as TOR, and subsequently blocked - traffic is all dest port 443.  This is preventing access to certain websites hosted on Google's platform - appspot.com for example.

I assume Google is not running TOR nodes, and looking back over previous release notes I see PAN-OS has had trouble identifying TOR in the past. 

(irrelevant fields removed):

Session ID  3133462
Type  deny
Action  deny
Application  tor
Rule  Bittorrent and TOR
Category  web-advertisements
IP Protocol  tcp
Bytes  2,665
Bytes Received  2,119
Bytes Sent  546
Repeat Count  1
Packets  9
Packets Received  4
Packets Sent  5
Source address  x.x.x.x
Source Port  1342
Source Zone  trust
Destination address  74.125.24.155
Destination Country  US
Destination Port  443
Destination Zone  untrust

Anyone else seen this?

Liam.LL

Tags (4)
L3 Networker

Re: SSL traffic mis-identified as TOR

This is a  Tor Brouser and usually used to safely browse the Internet. (anonymity over 443 port)

L5 Sessionator

Re: SSL traffic mis-identified as TOR

This could be due to either  caching of the IP + dest Port  for app: Bittorrent and TOR or session prediction .

1>Check the traffic Logs for Dest:74.125.24.155and destination-port 443 to see if any SSL application was seen.<<--To gauge if there was any SSL sent to this destination.

2> Check if there are any Predict sessions:

>show session all filter destination 74.125.24.155 destination-port 443 type predict

3>To clear the prediction:

>clear session all filter destination 74.125.24.155 destination-port 443 type predict

4>Check the status of appid cache.

> show running application setting

Application setting:

==>Application cache             : yes


5>If the app cache is yes, Try turning  off the app cache :

> set application cache no

optional:To turn on  app-cache

> set application cache no


Let me know if this helps.

Regards,

Ameya

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!