For details on cookie usage on our site, read our Privacy Policy
Rule to block TOR Application blocks all traffic directed to Internet
- LIVEcommunity
- Discussions
- General Topics
- Rule to block TOR Application blocks all traffic directed to Internet
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Rule to block TOR Application blocks all traffic directed to Internet
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-19-2016 05:32 AM
Hello Community,
we have an issue when we try to block TOR application. We do a rule like the image reported below and put it on top of the rulebase:
But it seems that all Internet traffic is dropped by the rule named "Tor_Blocking".
We see the Application is "Not-Applicable" on all log files. It seems PaloAlto cannot resolve properly the Applications involved.
At the moment we are not using SSL Decryption and we have PANOS 7.0.6 and Application Version 584-3342 on a cluster of PA-5060 appliances.
Do you have any idea to resolve this issue?
Let me know if you need any other information.
Thanks in advance.
Jacopo
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-24-2016 02:36 AM
the destination port is 5671, the session id is 0 and the associated log is interzone-default (at the bottom of the log screenshot): this session is being dropped because there is no application rule that allows this traffic, but the tcp handshake is being allowed because the service in the TOR policy is set to any instead of application-default, that is also why the log is showing up because that rule has logging enabled
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-24-2016 02:49 AM
Yes, I know this session was port 5671. But he said all traffic to internet stops. So i was asking about a port 80 which is more likely to be allowed somewhere than port 5671.
TCP handshake didn't go through in this case as only 1 packet was seen, most likely SYN.
Application default port for TOR is TCP/dynamic. So no matter what the service setting is in the rule, PA will have to allow all TCP ports.
Ok, i didn't notice "interzone-default" in related logs so far. But even if this is a connection related to one of the sessions correctly recognised as TOR and dropped, it still doesn't explain why all traffic to internet stops.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-24-2016 03:45 AM
if the session was identified as Tor, the log should also indicate that... a show counter global could be useful to see if there is a system level drop reason, maybe a LAND attack due to some NAT rule we're not aware of... I tried replicating the config in my lab but can't get it to break
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
- Traffic getting hits on non-allowed URLs in General Topics
- Cannot ping interface, IP or defaul gateway from PA 500 to Cisco switch in General Topics
- Block All Internet Web-Browsing But Allow MS_UPDATES in Panorama Discussions
- Outlook web excessive bandwidth usage in Next-Generation Firewall Discussions
- Application incomplete or insufficient-data when using NNTPS in Next-Generation Firewall Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
