This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Rule to block TOR Application blocks all traffic directed to Internet
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Rule to block TOR Application blocks all traffic directed to Internet
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Rule to block TOR Application blocks all traffic directed to Internet
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-19-2016 05:32 AM
Hello Community,
we have an issue when we try to block TOR application. We do a rule like the image reported below and put it on top of the rulebase:
But it seems that all Internet traffic is dropped by the rule named "Tor_Blocking".
We see the Application is "Not-Applicable" on all log files. It seems PaloAlto cannot resolve properly the Applications involved.
At the moment we are not using SSL Decryption and we have PANOS 7.0.6 and Application Version 584-3342 on a cluster of PA-5060 appliances.
Do you have any idea to resolve this issue?
Let me know if you need any other information.
Thanks in advance.
Jacopo
12 REPLIES 12
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-21-2016 08:19 AM
Im not sure why you're seeing this behavior. We have a similar rule and it works fine. Only difference is we have it set to App-Default for Service. Which should be fine because its "Standard Ports" are TCP/dynamic. You should give that a try.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-22-2016 05:02 AM
Hi @jambulo,
I'll ask customer to set application default as "service" and i'll update you.
What version of PANOS are you using?
Thanks.
Jacopo.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-23-2016 05:22 AM
I'd also recommend changing the source zone from 'any' to 'trust' and instead of setting the negate for rfc-1918, to simply set the destination netwrok to 'any' (as there should not be any rfc-1918 ip addresses upstream and your ISP should drop these anyway)
Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-23-2016 08:47 AM
Hi All,
customer will try to change the rule in the next few days. I'll update you as soon as possible.
Thanks,
Jacopo.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-24-2016 01:41 AM
Can you confirm that you have for example port 80 open somewhere in policy and that TOR rule blocks traffinc on that port anyway?
Even if it works with service set to application-default (which is all ports anyway in this case) I still think something is broken here and PA should be notified.
Related Content
- Traffic getting hits on non-allowed URLs in General Topics
- Block All Internet Web-Browsing But Allow MS_UPDATES in Panorama Discussions
- Outlook web excessive bandwidth usage in Next-Generation Firewall Discussions
- Application incomplete or insufficient-data when using NNTPS in Next-Generation Firewall Discussions
- NAT rule in Next-Generation Firewall Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks