This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stefan_Schmidt
Participant
‎2021-06-24 03:49 AM

Block Tor traffic completely on R80.40 gateways

Hello,

does oneone have a solution for blocking tor traffic completely on R80.40 gateways?

I have followed the steps decribed in sk103154 "How to block traffic coming from known malicious IP addresses" but I am still able to connect to the TOR network by using the "Tor is censored in my country - select a built in bridge: meek-azure (works in China)" feature of the TOR browser.

Thank you

regards

Stefan

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2021-06-24 08:33 AM

I recommend engaging with the TAC on this.
That said, it's possible this mechanism might also block legitimate uses of Azure, which is possibly why this is still allowed.

0 Kudos
Benedikt_Weissl
Advisor
‎2021-06-24 09:05 AM

You need HTTPS Inspection to fully block TOR

0 Kudos
Stefan_Schmidt
Participant
‎2021-06-24 11:26 PM
In response to Benedikt_Weissl

what should the HTTPS inspection rule look like that you have in mind? Thank you

0 Kudos
Benedikt_Weissl
Advisor
‎2021-06-24 11:55 PM
In response to Stefan_Schmidt

It was matched by the catch-all rule, the rulebase in my lab (and also productive enviroment) is structered so that bypass rules come first, the rest is matched by a catch-all rule.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-06-25 11:34 AM
In response to Benedikt_Weissl

Im not positive thats actually true...why would you need https inspection to block tor traffic?

Best,
Andy
0 Kudos
Benedikt_Weissl
Advisor
‎2021-07-01 07:42 AM
In response to the_rock

Since the traffic is encrypted and the AppControl pattern doesn't match if I choose the "Tor is censored in my country - select a built in bridge: meek-azure (works in China)"-option. At least in my lab enviroment, R81 gw and sms.

If i activate https inspection the tor browser won't connect anymore and a bypass is impossible.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-06-25 07:23 AM

The directions in that article describe how to block traffic coming from people who use TOR into your environment. It wouldn't have any effect at all on traffic from your users out.

To block traffic from your environment out to TOR, you will need HTTPS inspection and a rule blocking or rejecting the "Tor" (and probably "Invisible Browsing", "Tails", and "Tor2Web") application/site object.

0 Kudos
Stefan_Schmidt
Participant
‎2021-07-01 04:43 AM
In response to Bob_Zimmerman

Hello Bob,

I did all that now but I am still able to connect to the TOR network by using the "Tor is censored in my country - select a built in bridge: meek-azure (works in China)" feature of the TOR browser.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-07-01 03:28 PM
In response to Stefan_Schmidt

And that traffic may not look like Tor traffic.
Recommend a TAC case here.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-06-25 12:19 PM

Not sure if this makes sense, but if you have app control enabled, can you try add that application to be blocked?

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events