Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Understand High risk app usage trigger - FortiAnalyser

Hi Everyone,

please help me to understand this, 

when I checked the Event monitor by threat (High Risk App Usage), I found out that the application: TOR is using by some computers in company, actually the tor is not installed on any computers, please let me know why Fortianalyser show that? how we can investigate?





Tor is a protocol. Like BitTorrent, or IRC, etc. Tor is used to anonymize user traffic.


It is considered high risk for a few reasons: 

1. it can be used to bypass firewall filters (traffic to blocked sites can be accessed through Tor)

2. It is used to access the "dark web"

3. It can put undue stress on your network and if users are somehow running relays or exit nodes on your network can put you on blacklists


Just like other protocols, you can access these "apps" through web browsers. So just like IRC, or WhatsApp, etc. I don't always need a dedicated app to access these things. A web browser works just the same. And FGT App Control will flag the access to these apps regardless of how they are accessed.


You can investigate by figuring out which devices are accessing the Tor network by looking at FAZ logs. You can also put an app control policy in place to block it if you feel it is required to do so.