07-03-2020 11:33 AM
Hi
We are planning to block Tor application traffic in our PA device , so do we need to write security policy in both the direction and also share the steps to block the traffic in Palo Alto device.
Thanks,
Yusuf
07-03-2020 09:47 PM - edited 07-03-2020 09:47 PM
It depends on traffic flow if traffic is initiated from the user inside the network then you only need to block the application in security
rule for traffic from inside to outside.
If you have some Internet facing servers and users access from Internet to access that and it is using port 443 then you need to block
the application in security rule from outside to inside.
Also you need to enable ssl decryption for this it is using port 443
Regards
07-04-2020 01:39 PM
Hi @MP18
"If you have some Internet facing servers and users access from Internet to access that and it is using port 443 then you need to block the application in security rule from outside to inside."
This sounds a little confusing. From external you probably won't detect traffic coming from TOT exit nodes or do you mean when there is a TOR node bebind the paloalto firewall that is publicly available?
07-04-2020 01:42 PM
Hi @Yusuf_PA
Some help about blocking TOR you can find here: https://live.paloaltonetworks.com/t5/featured-articles/how-to-block-tor-the-onion-router/ta-p/177648
07-04-2020 06:06 PM
Thanks MP18 and Vsys_remo
I would like to know how to write policy from untrust to trust zone and what would be the source address.
Trust to untrust Zone
Thanks
07-04-2020 07:20 PM
do you mean when there is a TOR node behind the paloalto firewall that is publicly available?
Yes i mean this.
07-04-2020 07:28 PM
Do you have any web servers which are public facing?
IF yes then you need security policy from untrust having source address as any to the public ip of web servers.
Source Zone Untrust
Destination Zone - Where your web servers reside.
Be careful when you do this as we do not know your environment.
07-04-2020 08:20 PM
Thanks MP
While writing security policy from zone untrust to trust can we take source address EDL (External Dynamic List) instead of any.
The following web-server (https://panwdbl.appspot.com/lists/ettor.txt) contains a list of Tor exit nodes.
07-06-2020 06:34 AM
Yes you can use the source address of EDL instead of any then destination address is whatever you want to protect in you network
like servers etc.
Regards
07-06-2020 01:38 PM
Hello,
Another thing I would add are additional policies that block on Application detection. That way if there are new TOR exit nodes and you dont have the changes, you'll still block the traffic.
Hope that helps.
07-19-2020 02:10 AM
Thanks MP18,
I will try the same as you mentioned.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
