FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
avarga
Staff
Staff
Description
This article provides information concerning the monitoring and blocking of the Tor browser application.

For example you want to allow one user to use the Tor browser application for web traffic, while monitoring the user’s activity.  Use of the Tor browser will be blocked for all other users.

The Tor browser allows users to bounce communication traffic around a distributed network of relays located around the world.  For more information about Tor, check out the Fortinet blog entry : http://blog.fortinet.com/post/5-1-2-things-to-know-about-the-tor-browser-and-your-network

We will use as example the default application control signatures for the Tor client and web-based Tor.

These signatures will only match unmodified versions of the Tor application.  Also, if a Tor session has already been established prior to connecting to the network, it may take up to 10 minutes before the FortiGate is able to monitor or block the traffic.  For example, two user accounts, X and Y, have already been configured.


Solution
1. Enabling Application Control and multiple security profiles

Go to System > Config > Features and ensure that Application Control is turned on.

Select Show More and enable Multiple Security Profiles.

Apply the changes.


2. Blocking Tor traffic using the default profile

Go to Security Profiles > Application Control and edit the default profile.

Under Application Overrides, select Add Signatures.

Search for Tor, then filter the results to show only the Proxy category.  Two signatures will appear: one for the Tor client and one for web-based Tor use.

Highlight both signatures, and select Use Selected Signatures.

Both signatures now appear in the Application Overrides list, with the Action set to Block.


3. Creating a profile that monitors Tor traffic

Go to Security Profiles > Application Control and create a new profile.  Under Application Overrides, select Add Signatures.

Search for and highlight both signatures, and select Use Selected Signatures.

In the Application Overrides list, double-click on the Action for each profile, and set it to Monitor.


4. Adding the application control profiles to your security policies

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Make sure the user jack is included in the Source User(s).

Under Security Profiles, turn on Application Control and use the default profile.

Create a second policy allowing connections from the internal network to the Internet.  Set Source User(s) to Y.

Under Security Profiles, turn on Application Control and use the profile that will monitor Tor traffic.

Go to Policy & Objects > Policy > IPv4 and view the policy list.

It is best to place more narrowly defined policies at the top of the list.  In this case, the policy that monitors Tor is the most narrowly defined, because it is likely that less people will be using it than the policy that blocks Tor.

To rearrange the policies, select the column on the far left (Seq.#) and drag the policy to the desired position.


5. Results

The  Tor  browser cannot be used for user authentication, so use a different browser to authenticate using Y‘s credentials.

Browse the Internet using the Tor browser.  You will be able to connect to the Internet.

Go to System > FortiView > Applications and select the now view.

You will see a listing for the Tor traffic.

If you double-click on the listing, you can view more information about this traffic, including detailed information on the sessions.     

Go to User & Device > Monitor > Firewall. Select the Y account and select De-authenticate.

Go to System > FortiView > Applications and select the now view.

You will see that Tor traffic has been blocked.

Related Articles

Preventing Tor use

Contributors