FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jalejoFTNT
Staff
Staff
Article Id 316401
Description This article describes how to block Tor connection requests.
Scope FortiGate.

Solution

 

 

 

 

  1. Create a firewall Policy:
    Go to Policy & Objects -> Firewall Policy and select Create New.
    Choose Incoming/Outgoing interfaces.
    Enable and place it on top.

  2. Create two Custom Application signatures.
    Go to Security Profiles -> Application Signatures and select Create New.
    Paste the following syntax on the Signature box and select OK.

F-SBID( --name "Tor.meek.Custom"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_POST; --pattern "meek.azureedge.net"; --context host; --pattern "|16 03 01|"; --context body; --within 3,context; --pattern "|01|"; --context body; --distance 5,context; --within 1,context; --pattern "www."; --context body; --distance 121; --within 4; --pattern ".com"; --context body; --distance 0; --within 32; --app_cat 6; --weight 20; )

 

  1. Go to Security Profiles -> Application Signatures and select Create New.

    Paste the following syntax on the Signature box and select OK.

    F-SBID( --attack_id 4446; --name Tor.snowflake.Custom; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_POST; --pattern 1098762253.rsc.cdn77.org; --context host; --pattern /client; --context uri; --app_cat 6; --weight 20; )

     

  2. Create a Custom Application Control profile.
    Go to Security Profiles -> Application Control and select Create New.
    On the section Application and Filter Overrides select Create New.
    Ensure that the Type option is Application and Action Block.

    On the Search Box, type Tor and type Enter.
    On the Category column, filter by Proxy.
    Select the three Official Application Signatures Tor, Tor2web, and TorGuard, select Add Selected, and select OK.

     

    KB tor 2.png 

  3. Add Custom Application signatures on the Custom Application Control profile.
    Go to Security Profiles -> Application Control and edit Custom Application Control profile.
    On the section Application and Filter Overrides, select Create New.
    Ensure that the Type option is Application and Action Block.

    Select the two Custom Application Signatures, select Add Selected, and select OK.

     

    KB tor 3.png

     

  1. Change the inspection-mode on the Firewall Policy created.
    On the CLI, change the firewall Policy inspection-mode to proxy:

     

    config firewall policy
        edit <ID FW Policy>
            set inspection-mode proxy
    end

     

     

  2. Apply the Custom Application profile on the Firewall Policy created:

     

    KB tor 4.png

  3. Choose this Custom Application Profile on the New Firewall Policy.
    Choose an SSL/SSH profile with the full-inspection feature enabled.
    Note: When using SSL/SSH, the full-inspection profile is necessary to install the certificate on the end-device.

  4. When the Tor browser is used and matches with the firewall policy created, block events appear as follow:

 

KB tor 5.png

 

 

The Tor browser does not progress from this state.

 

KB tor 6.png

Related articles:

Technical Tip: How to block traffic coming from TOR exit nodes

Technical Tip: Prevent TOR IP addresses from accessing SSL VPN with brute-force attacks on FortiGate