Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9101
Views
17
Helpful
7
Replies

FirePOWER not blocking TOR (The Onion Router)

Go to solution
mauricioharley
Level 1
Level 1

‎12-14-2015 08:23 AM - edited ‎03-12-2019 05:50 AM

Dear friends,

I have a system comprised of an ASA FirePOWER version 5.4.0.5 and a FireSIGHT 6.0.0 (running on top of VMware).  I installed the latest patch (patch 4).

I configured an access policy including URL Filtering (it's correctly licensed).  I can see many URLs being filtered out of my traffic.  However, even with the "Tor_exit_node" inside the policy (please, check the attached screenshot), I get successful connections from the users - checking on users computers themselves.  

So, what else must be done to get this working?

Thank you,

Mauricio Harley

4 people had this problem
Labels:
Preview file
58 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎12-14-2015 09:31 AM

Hi.


The IP addresses of known TOR exit nodes are included in the Security Intelligence feed.
You may block connections to these IP addresses by setting the category Tor_exit_node in
the blacklist column of your security intelligence settings for your applied access
control policy. Setting Any as the configured zone will block connections to and from
these IP addresses.


Policies --> Access Control --> Edit a policy --> Security Intelligence tab.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

View solution in original post

7 Replies 7

Go to solution
Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎12-14-2015 09:31 AM

Hi.


The IP addresses of known TOR exit nodes are included in the Security Intelligence feed.
You may block connections to these IP addresses by setting the category Tor_exit_node in
the blacklist column of your security intelligence settings for your applied access
control policy. Setting Any as the configured zone will block connections to and from
these IP addresses.


Policies --> Access Control --> Edit a policy --> Security Intelligence tab.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Go to solution
ed.sherratt
Level 1
Level 1

‎12-18-2015 03:03 AM

Hi,

One other thing to note the feeds are TOR exit nodes IPs not URLs, and not necessarily entry points.

I agree with the previous comment - the best option is the security intelligence block.

Regards,
Ed

Go to solution
rick11
Level 1
Level 1
In response to ed.sherratt

‎09-25-2019 04:14 AM

Hello,

we did setup in application blocking TOR and Tor directory services. still not working.

 

Is it necessary to add the security intelligence fields in detection or blocking mode?

 

Thank you!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rick11

‎09-25-2019 06:10 AM

@rick11 yes - add the SI section settings to block TOR effectively.

Policies > Access Control. Edit your ACP. On the Security Intelligence tab choose TOR Exit nodes from the network list and apply to Blacklist action. Save and deploy.

0 Helpful

Go to solution
telesymbol
Level 1
Level 1
In response to Marvin Rhoads

‎08-31-2022 01:21 AM

 

Is this solution still valid? i have tried it several times but not able to block TOR. We're also facing similar issue blocking Ultrasurf.

Thanks!

0 Helpful

Go to solution
MSJ1
Level 1
Level 1
In response to Marvin Rhoads

‎08-25-2023 08:17 AM

@Marvin Rhoads But how should we allow tor traffic for a legitimate web service hosted after fw while in SI tor_ext_node is Blocked

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MSJ1

‎08-25-2023 09:16 AM

@MSJ1 are you saying you have a legitimate web site that's being blocked since it's identified as a TOR exit node?

Generally speaking, we can manually whitelist specific addresses if the built-in categorization and SI update feed from Cisco Talos is incorrectly blocking an address.

If it's a site you host, then the incorrect categorization should be reported via the form at www.talosintelligence.com

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card