Block Tor application traffic.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Block Tor application traffic.

L1 Bithead

Hi

 

We are planning to block Tor application traffic in our PA device , so do we need to write security policy in both the direction  and also share the steps to block the traffic in Palo Alto device.

 

Thanks,

Yusuf

 

 

10 REPLIES 10

Cyber Elite
Cyber Elite

 

@Yusuf_PA 

 

It depends on traffic flow if traffic is initiated  from the user inside the network then you only need to block the application in security

rule for traffic from inside to outside.

 

If you have some Internet facing servers and users access from Internet to access that and it is using port 443 then you need to block

the application in security rule from outside to inside.

Also you need to enable ssl decryption for this it is using port 443

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

Hi @MP18 

"If you have some Internet facing servers and users access from Internet to access that and it is using port 443 then you need to block the application in security rule from outside to inside."

This sounds a little confusing. From external you probably won't detect traffic coming from TOT exit nodes or do you mean when there is a TOR node bebind the paloalto firewall that is publicly available?

L7 Applicator

Thanks MP18  and  Vsys_remo

 

I would like to know how to write policy from untrust to trust zone and what would be the source address.

 

Trust to untrust Zone

TOR.png

Thanks

@Remo 

 

do you mean when there is a TOR node behind the paloalto firewall that is publicly available?

Yes i mean this.

 

 

MP

Help the community: Like helpful comments and mark solutions.

@Yusuf_PA 

 

Do you have any web servers which are public facing?

IF yes then you need security policy from untrust having source address as any to the public ip of web servers.

 

Source Zone Untrust 

Destination Zone  - Where your web servers reside.

 

Be careful when you do this as we do not know your environment.

 

 

MP

Help the community: Like helpful comments and mark solutions.

Thanks MP

 

While writing security policy from zone untrust to trust can we take source address EDL (External Dynamic List) instead of any.

 

The following web-server (https://panwdbl.appspot.com/lists/ettor.txt) contains a list of Tor exit nodes.

@Yusuf_PA 

 

Yes you can use the source address of EDL instead of any then destination address is whatever you want to protect in you network

like servers etc.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Hello,

Another thing I would add are additional policies that block on Application detection. That way if there are new TOR exit nodes and you dont have the changes, you'll still block the traffic.

 

OtakarKlier_0-1594067916021.png

 

 

Hope that helps.

Thanks MP18,

 

I will try the same as you mentioned.

  • 7723 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!