cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5422
Views
10
Helpful
4
Replies
mauricioharley
Beginner

FirePOWER not blocking TOR (The Onion Router)

Dear friends,

I have a system comprised of an ASA FirePOWER version 5.4.0.5 and a FireSIGHT 6.0.0 (running on top of VMware).  I installed the latest patch (patch 4).

I configured an access policy including URL Filtering (it's correctly licensed).  I can see many URLs being filtered out of my traffic.  However, even with the "Tor_exit_node" inside the policy (please, check the attached screenshot), I get successful connections from the users - checking on users computers themselves.  

So, what else must be done to get this working?

Thank you,

Mauricio Harley

1 ACCEPTED SOLUTION

Accepted Solutions
Aastha Bhardwaj
Cisco Employee

Hi.


The IP addresses of known TOR exit nodes are included in the Security Intelligence feed.
You may block connections to these IP addresses by setting the category Tor_exit_node in
the blacklist column of your security intelligence settings for your applied access
control policy. Setting Any as the configured zone will block connections to and from
these IP addresses.


Policies --> Access Control --> Edit a policy --> Security Intelligence tab.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

View solution in original post

4 REPLIES 4
Aastha Bhardwaj
Cisco Employee

Hi.


The IP addresses of known TOR exit nodes are included in the Security Intelligence feed.
You may block connections to these IP addresses by setting the category Tor_exit_node in
the blacklist column of your security intelligence settings for your applied access
control policy. Setting Any as the configured zone will block connections to and from
these IP addresses.


Policies --> Access Control --> Edit a policy --> Security Intelligence tab.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

View solution in original post

ed.sherratt
Beginner

Hi,

One other thing to note the feeds are TOR exit nodes IPs not URLs, and not necessarily entry points.

I agree with the previous comment - the best option is the security intelligence block.

Regards,
Ed

Hello,

we did setup in application blocking TOR and Tor directory services. still not working.

 

Is it necessary to add the security intelligence fields in detection or blocking mode?

 

Thank you!

Marvin Rhoads
VIP Community Legend

@rick11 yes - add the SI section settings to block TOR effectively.

Policies > Access Control. Edit your ACP. On the Security Intelligence tab choose TOR Exit nodes from the network list and apply to Blacklist action. Save and deploy.

Content for Community-Ad