Block Tor application traffic.

Reply
Highlighted
L1 Bithead

Block Tor application traffic.

Hi

 

We are planning to block Tor application traffic in our PA device , so do we need to write security policy in both the direction  and also share the steps to block the traffic in Palo Alto device.

 

Thanks,

Yusuf

 

 

Highlighted
Cyber Elite

 

@Yusuf_PA 

 

It depends on traffic flow if traffic is initiated  from the user inside the network then you only need to block the application in security

rule for traffic from inside to outside.

 

If you have some Internet facing servers and users access from Internet to access that and it is using port 443 then you need to block

the application in security rule from outside to inside.

Also you need to enable ssl decryption for this it is using port 443

 

Regards

MP
Highlighted
Cyber Elite

Hi @MP18 

"If you have some Internet facing servers and users access from Internet to access that and it is using port 443 then you need to block the application in security rule from outside to inside."

This sounds a little confusing. From external you probably won't detect traffic coming from TOT exit nodes or do you mean when there is a TOR node bebind the paloalto firewall that is publicly available?

Cyber Elite

Highlighted
L1 Bithead

Thanks MP18  and  Vsys_remo

 

I would like to know how to write policy from untrust to trust zone and what would be the source address.

 

Trust to untrust Zone

TOR.png

Thanks

Highlighted
Cyber Elite

@vsys_remo 

 

do you mean when there is a TOR node behind the paloalto firewall that is publicly available?

Yes i mean this.

 

 

MP
Highlighted
Cyber Elite

@Yusuf_PA 

 

Do you have any web servers which are public facing?

IF yes then you need security policy from untrust having source address as any to the public ip of web servers.

 

Source Zone Untrust 

Destination Zone  - Where your web servers reside.

 

Be careful when you do this as we do not know your environment.

 

 

MP
Highlighted
L1 Bithead

Thanks MP

 

While writing security policy from zone untrust to trust can we take source address EDL (External Dynamic List) instead of any.

 

The following web-server (https://panwdbl.appspot.com/lists/ettor.txt) contains a list of Tor exit nodes.

Highlighted
Cyber Elite

@Yusuf_PA 

 

Yes you can use the source address of EDL instead of any then destination address is whatever you want to protect in you network

like servers etc.

 

Regards

MP
Highlighted
Cyber Elite

Hello,

Another thing I would add are additional policies that block on Application detection. That way if there are new TOR exit nodes and you dont have the changes, you'll still block the traffic.

 

OtakarKlier_0-1594067916021.png

 

 

Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!