topic Block Tor traffic completely on R80.40 gateways in Firewall and Security Management

Block Tor traffic completely on R80.40 gateways

Stefan_Schmidt — Thu, 24 Jun 2021 10:49:57 GMT

Hello,

does oneone have a solution for blocking tor traffic completely on R80.40 gateways?

I have followed the steps decribed in sk103154 "How to block traffic coming from known malicious IP addresses" but I am still able to connect to the TOR network by using the "Tor is censored in my country - select a built in bridge: meek-azure (works in China)" feature of the TOR browser.

Thank you

regards

Stefan

Re: Block Tor traffic completely on R80.40 gateways

PhoneBoy — Thu, 24 Jun 2021 15:33:00 GMT

I recommend engaging with the TAC on this.
That said, it's possible this mechanism might also block legitimate uses of Azure, which is possibly why this is still allowed.

Re: Block Tor traffic completely on R80.40 gateways

Benedikt_Weissl — Thu, 24 Jun 2021 16:05:35 GMT

You need HTTPS Inspection to fully block TOR

Re: Block Tor traffic completely on R80.40 gateways

Stefan_Schmidt — Fri, 25 Jun 2021 06:26:42 GMT

what should the HTTPS inspection rule look like that you have in mind? Thank you

Re: Block Tor traffic completely on R80.40 gateways

Benedikt_Weissl — Fri, 25 Jun 2021 06:55:38 GMT

It was matched by the catch-all rule, the rulebase in my lab (and also productive enviroment) is structered so that bypass rules come first, the rest is matched by a catch-all rule.

Re: Block Tor traffic completely on R80.40 gateways

Bob_Zimmerman — Fri, 25 Jun 2021 14:23:29 GMT

The directions in that article describe how to block traffic coming from people who use TOR into your environment. It wouldn't have any effect at all on traffic from your users out.

To block traffic from your environment out to TOR, you will need HTTPS inspection and a rule blocking or rejecting the "Tor" (and probably "Invisible Browsing", "Tails", and "Tor2Web") application/site object.

Re: Block Tor traffic completely on R80.40 gateways

the_rock — Fri, 25 Jun 2021 18:34:58 GMT

Im not positive thats actually true...why would you need https inspection to block tor traffic?

Re: Block Tor traffic completely on R80.40 gateways

the_rock — Fri, 25 Jun 2021 19:19:12 GMT

Not sure if this makes sense, but if you have app control enabled, can you try add that application to be blocked?

Re: Block Tor traffic completely on R80.40 gateways

Stefan_Schmidt — Thu, 01 Jul 2021 11:43:25 GMT

Hello Bob,

I did all that now but I am still able to connect to the TOR network by using the "Tor is censored in my country - select a built in bridge: meek-azure (works in China)" feature of the TOR browser.

Re: Block Tor traffic completely on R80.40 gateways

Benedikt_Weissl — Thu, 01 Jul 2021 14:42:51 GMT

Since the traffic is encrypted and the AppControl pattern doesn't match if I choose the "Tor is censored in my country - select a built in bridge: meek-azure (works in China)"-option. At least in my lab enviroment, R81 gw and sms.

If i activate https inspection the tor browser won't connect anymore and a bypass is impossible.

Re: Block Tor traffic completely on R80.40 gateways

PhoneBoy — Thu, 01 Jul 2021 22:28:38 GMT

And that traffic may not look like Tor traffic.
Recommend a TAC case here.