FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article
DescriptionUsers are using Tor (The Onion Router) to get around firewall policies. This article describes how to prevent this.
Components
  • FortiGate units running FortiOS 3.0.
Steps or Commands

To block prevent the use of Tor on your network, create a custom IPS signature that will catch this traffic.

To add a custom IPS signature

  1. Go to Intrusion Protection> Signature> Custom.
  2. Select Create New.
  3. Enter a name for the signature and the following for the signature:

    F-SBID( --name "TOR.Web.Proxy.TLSv1.Detection"; --protocol tcp; --flow from_client; --seq <,3000,relative; --pattern "|16 03 01|"; --within 3,packet; --pattern "|0b|"; --distance 2; --within 1; --pattern "|3c|identity|3e|0"; --no_case; --distance 15; --within 300; --pattern "Tor"; --no_case; --distance -100; --within 100; )

  4. Select OK.

Associate the IPS signature to a protection profile and apply that protection profile to an outbound firewall policy.