We are planning to block Tor application traffic in our PA device , so do we need to write security policy in both the direction and also share the steps to block the traffic in Palo Alto device.
It depends on traffic flow if traffic is initiated from the user inside the network then you only need to block the application in security
rule for traffic from inside to outside.
If you have some Internet facing servers and users access from Internet to access that and it is using port 443 then you need to block
the application in security rule from outside to inside.
Also you need to enable ssl decryption for this it is using port 443
"If you have some Internet facing servers and users access from Internet to access that and it is using port 443 then you need to block the application in security rule from outside to inside."
This sounds a little confusing. From external you probably won't detect traffic coming from TOT exit nodes or do you mean when there is a TOR node bebind the paloalto firewall that is publicly available?
Do you have any web servers which are public facing?
IF yes then you need security policy from untrust having source address as any to the public ip of web servers.
Source Zone Untrust
Destination Zone - Where your web servers reside.
Be careful when you do this as we do not know your environment.
While writing security policy from zone untrust to trust can we take source address EDL (External Dynamic List) instead of any.
The following web-server (https://panwdbl.appspot.com/lists/ettor.txt) contains a list of Tor exit nodes.
Another thing I would add are additional policies that block on Application detection. That way if there are new TOR exit nodes and you dont have the changes, you'll still block the traffic.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!