12-14-2015 08:23 AM - edited 03-12-2019 05:50 AM
Dear friends,
I have a system comprised of an ASA FirePOWER version 5.4.0.5 and a FireSIGHT 6.0.0 (running on top of VMware). I installed the latest patch (patch 4).
I configured an access policy including URL Filtering (it's correctly licensed). I can see many URLs being filtered out of my traffic. However, even with the "Tor_exit_node" inside the policy (please, check the attached screenshot), I get successful connections from the users - checking on users computers themselves.
So, what else must be done to get this working?
Thank you,
Mauricio Harley
Solved! Go to Solution.
12-14-2015 09:31 AM
Hi.
The IP addresses of known TOR exit nodes are included in the Security Intelligence feed.
You may block connections to these IP addresses by setting the category Tor_exit_node in
the blacklist column of your security intelligence settings for your applied access
control policy. Setting Any as the configured zone will block connections to and from
these IP addresses.
Policies --> Access Control --> Edit a policy --> Security Intelligence tab.
Regards,
Aastha Bhardwaj
Rate if that helps!!!
12-14-2015 09:31 AM
Hi.
The IP addresses of known TOR exit nodes are included in the Security Intelligence feed.
You may block connections to these IP addresses by setting the category Tor_exit_node in
the blacklist column of your security intelligence settings for your applied access
control policy. Setting Any as the configured zone will block connections to and from
these IP addresses.
Policies --> Access Control --> Edit a policy --> Security Intelligence tab.
Regards,
Aastha Bhardwaj
Rate if that helps!!!
12-18-2015 03:03 AM
Hi,
One other thing to note the feeds are TOR exit nodes IPs not URLs, and not necessarily entry points.
I agree with the previous comment - the best option is the security intelligence block.
Regards,
Ed
09-25-2019 04:14 AM
Hello,
we did setup in application blocking TOR and Tor directory services. still not working.
Is it necessary to add the security intelligence fields in detection or blocking mode?
Thank you!
09-25-2019 06:10 AM
@rick11 yes - add the SI section settings to block TOR effectively.
Policies > Access Control. Edit your ACP. On the Security Intelligence tab choose TOR Exit nodes from the network list and apply to Blacklist action. Save and deploy.
08-31-2022 01:21 AM
Is this solution still valid? i have tried it several times but not able to block TOR. We're also facing similar issue blocking Ultrasurf.
Thanks!
08-25-2023 08:17 AM
@Marvin Rhoads But how should we allow tor traffic for a legitimate web service hosted after fw while in SI tor_ext_node is Blocked
08-25-2023 09:16 AM
@MSJ1 are you saying you have a legitimate web site that's being blocked since it's identified as a TOR exit node?
Generally speaking, we can manually whitelist specific addresses if the built-in categorization and SI update feed from Cisco Talos is incorrectly blocking an address.
If it's a site you host, then the incorrect categorization should be reported via the form at www.talosintelligence.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide