SSL traffic mis-identified as TOR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL traffic mis-identified as TOR

L2 Linker

Hi,

Seeing over the last few days traffic going from our users (various different users in different locations) to IP addresses in Google's range (74.125.0.0/16) being identified as TOR, and subsequently blocked - traffic is all dest port 443.  This is preventing access to certain websites hosted on Google's platform - appspot.com for example.

I assume Google is not running TOR nodes, and looking back over previous release notes I see PAN-OS has had trouble identifying TOR in the past. 

(irrelevant fields removed):

Session ID  3133462
Type  deny
Action  deny
Application  tor
Rule  Bittorrent and TOR
Category  web-advertisements
IP Protocol  tcp
Bytes  2,665
Bytes Received  2,119
Bytes Sent  546
Repeat Count  1
Packets  9
Packets Received  4
Packets Sent  5
Source address  x.x.x.x
Source Port  1342
Source Zone  trust
Destination address  74.125.24.155
Destination Country  US
Destination Port  443
Destination Zone  untrust

Anyone else seen this?

Liam.LL

2 REPLIES 2

L3 Networker

This is a  Tor Brouser and usually used to safely browse the Internet. (anonymity over 443 port)

L5 Sessionator

This could be due to either  caching of the IP + dest Port  for app: Bittorrent and TOR or session prediction .

1>Check the traffic Logs for Dest:74.125.24.155and destination-port 443 to see if any SSL application was seen.<<--To gauge if there was any SSL sent to this destination.

2> Check if there are any Predict sessions:

>show session all filter destination 74.125.24.155 destination-port 443 type predict

3>To clear the prediction:

>clear session all filter destination 74.125.24.155 destination-port 443 type predict

4>Check the status of appid cache.

> show running application setting

Application setting:

==>Application cache             : yes


5>If the app cache is yes, Try turning  off the app cache :

> set application cache no

optional:To turn on  app-cache

> set application cache no


Let me know if this helps.

Regards,

Ameya

  • 2352 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!