Description
This article describes how to block users on the network from accessing the internet who use the Tor browser.
Scope
FortiGate.
Solution
Diagram:
The Tor network allows users to browse the Internet anonymously by bouncing traffic around a distributed network of relays located around the world.
Observers are unable to determine the source and destination of Tor traffic since it does not take a direct route from source to destination.
This document uses the default application control signatures for the Tor client and web-based Tor.
These signatures only match unmodified versions of the Tor application.
- Enabling Application Control: Go to System -> Feature, and select to ensure that 'Application Control' is enabled.
- Blocking Tor traffic in 'Application Control' using the default profile: Go to Security Profiles -> Application Control to edit the default profile. Under 'Application Overrides', select 'Add Signatures'.
Filter by category: Tor and Proxy: Name to search for Tor.
Two signatures will appear: one for the web-based Tor usage and one for the Tor client.
Highlight both signatures and select 'Use Selected Signatures'.
Both signatures now appear in the 'Application Overrides' list, with the 'Action' set to 'Block'.
- Adding application control to the security policy: Go to Policy & Objects -> IPv4 Policy to edit the policy that allows connections from the internal network to the Internet. Set Source to 'all'.
Under the Security Profiles heading, enable 'Application Control' and use the default profile.
Enable SSL Inspection and use 'deep-inspection'.
Using the 'deep-inspection' profile causes certificate errors.
Results.
Browse the Internet using the Tor browser.
The Tor browser will be blocked.
Go to Log & Report -> Application Control.
Tor traffic has been blocked.
Related article:
Technical Tip: Blocking and monitoring Tor traffic