This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL traffic mis-identified as TOR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL traffic mis-identified as TOR

LCMember2860
L2 Linker

‎05-27-2013 07:29 AM

Hi,

Seeing over the last few days traffic going from our users (various different users in different locations) to IP addresses in Google's range (74.125.0.0/16) being identified as TOR, and subsequently blocked - traffic is all dest port 443.  This is preventing access to certain websites hosted on Google's platform - appspot.com for example.

I assume Google is not running TOR nodes, and looking back over previous release notes I see PAN-OS has had trouble identifying TOR in the past. 

(irrelevant fields removed):

Session ID  3133462
Type  deny
Action  deny
Application  tor
Rule  Bittorrent and TOR
Category  web-advertisements
IP Protocol  tcp
Bytes  2,665
Bytes Received  2,119
Bytes Sent  546
Repeat Count  1
Packets  9
Packets Received  4
Packets Sent  5
Source address  x.x.x.x
Source Port  1342
Source Zone  trust
Destination address  74.125.24.155
Destination Country  US
Destination Port  443
Destination Zone  untrust

Anyone else seen this?

Liam.LL

Labels:
0 Likes Likes
2 REPLIES 2

Oleksandr
L3 Networker

‎05-27-2013 02:50 PM

This is a  Tor Brouser and usually used to safely browse the Internet. (anonymity over 443 port)

0 Likes Likes

UhMayYeah
L5 Sessionator

‎05-27-2013 03:08 PM

This could be due to either  caching of the IP + dest Port  for app: Bittorrent and TOR or session prediction .

1>Check the traffic Logs for Dest:74.125.24.155and destination-port 443 to see if any SSL application was seen.<<--To gauge if there was any SSL sent to this destination.

2> Check if there are any Predict sessions:

>show session all filter destination 74.125.24.155 destination-port 443 type predict

3>To clear the prediction:

>clear session all filter destination 74.125.24.155 destination-port 443 type predict

4>Check the status of appid cache.

> show running application setting

Application setting:

==>Application cache             : yes


5>If the app cache is yes, Try turning  off the app cache :

> set application cache no

optional:To turn on  app-cache

> set application cache no


Let me know if this helps.

Regards,

Ameya

  • 2757 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks