Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Phung_Ong
New Contributor II

Created on ‎11-02-2022 09:39 PM Edited on ‎11-03-2022 02:07 AM By Community Manager

Understand High risk app usage trigger - FortiAnalyser

Hi Everyone,

please help me to understand this, 

when I checked the Event monitor by threat (High Risk App Usage), I found out that the application: TOR is using by some computers in company, actually the tor is not installed on any computers, please let me know why Fortianalyser show that? how we can investigate?

Thanks

 

Phung_Ong_1-1667450097005.png

Labels:
1771
0 Kudos
1 Solution
gfleming
Staff
Staff

Created on ‎11-03-2022 10:07 AM Edited on ‎11-03-2022 10:09 AM

Tor is a protocol. Like BitTorrent, or IRC, etc. Tor is used to anonymize user traffic.

 

https://www.torproject.org/

 

It is considered high risk for a few reasons: 

1. it can be used to bypass firewall filters (traffic to blocked sites can be accessed through Tor)

2. It is used to access the "dark web"

3. It can put undue stress on your network and if users are somehow running relays or exit nodes on your network can put you on blacklists

 

Just like other protocols, you can access these "apps" through web browsers. So just like IRC, or WhatsApp, etc. I don't always need a dedicated app to access these things. A web browser works just the same. And FGT App Control will flag the access to these apps regardless of how they are accessed.

 

You can investigate by figuring out which devices are accessing the Tor network by looking at FAZ logs. You can also put an app control policy in place to block it if you feel it is required to do so.

Cheers,
Graham

View solution in original post

1706
1 REPLY 1
gfleming
Staff
Staff

Created on ‎11-03-2022 10:07 AM Edited on ‎11-03-2022 10:09 AM

Tor is a protocol. Like BitTorrent, or IRC, etc. Tor is used to anonymize user traffic.

 

https://www.torproject.org/

 

It is considered high risk for a few reasons: 

1. it can be used to bypass firewall filters (traffic to blocked sites can be accessed through Tor)

2. It is used to access the "dark web"

3. It can put undue stress on your network and if users are somehow running relays or exit nodes on your network can put you on blacklists

 

Just like other protocols, you can access these "apps" through web browsers. So just like IRC, or WhatsApp, etc. I don't always need a dedicated app to access these things. A web browser works just the same. And FGT App Control will flag the access to these apps regardless of how they are accessed.

 

You can investigate by figuring out which devices are accessing the Tor network by looking at FAZ logs. You can also put an app control policy in place to block it if you feel it is required to do so.

Cheers,
Graham
1707
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.