Blocking and monitoring Tor traffic

In this recipe, you will allow one user to use the Tor browser application for web traffic, while monitoring the user’s activity. Use of the Tor browser will be blocked for all other users.

The Tor browser allows users to bounce communication traffic around a distributed network of relays located around the world. For more information about Tor, check out the Fortinet blog entry 5 ½ Things To Know About The Tor Browser And Your Network.

This recipe uses the default application control signatures for the Tor client and web-based Tor.  These signatures will only match unmodified versions of the Tor application. Also, if a Tor session has already been established prior to connecting to the network, it may take up to 10 minutes before the FortiGate is able to monitor or block the traffic.

In this recipe, two user accounts, jack and jill, have already been configured. For more information about creating user accounts, see User and device authentication.

1. Enabling Application Control and multiple security profiles

Go to System > Config > Features and ensure that Application Control is turned ON.  

Select Show More and enable Multiple Security Profiles.

Apply the changes.

 

2. Blocking Tor traffic using the default profile

Go to Security Profiles > Application Control and edit the default profile.

Under Application Overrides, select Add Signatures.

Search for Tor, then filter the results to show only the Proxy category. Two signatures will appear: one for the Tor client and one for web-based Tor use.

Highlight both signatures, and select Use Selected Signatures.

 
Both signatures now appear in the Application Overrides list, with the Action set to Block.  

3. Creating a profile that monitors Tor traffic

Go to Security Profiles > Application Control and create a new profile. Under Application Overrides, select Add Signatures.

Search for and highlight both signatures, and select Use Selected Signatures.

In the Application Overrides list, double-click on the Action for each profile, and set it to Monitor.

 

4. Adding the application control profiles to your security policies

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Make sure the user jack is included in the Source User(s).

Under Security Profiles, turn on Application Control and use the default profile.

 

Create a second policy allowing connections from the internal network to the Internet. Set Sourse User(s) to jill.

Under Security Profiles, turn on Application Control and use the profile that will monitor Tor traffic.

 

Go to Policy & Objects > Policy > IPv4 and view the policy list.

It is best to place more narrowly defined policies at the top of the list. In this case, the policy that monitors Tor is the most narrowly defined, because it is likely that less people will be using it than the policy that blocks Tor.

To rearrange the policies, select the column on the far left (in the example, Seq.#) and drag the policy to the desired position.

5. Results

The Tor browser cannot be used for user authentication, so use a different browser to authenticate using jill‘s credentials.

Browse the Internet using the Tor browser. You will be able to connect to the Internet.

Go to System > FortiView > Applications and select the now view. You will see a listing for the Tor traffic.

 
If you double-click on the listing, you can view more information about this traffic, including detailed information on the sessions.  
Go to User & Device > Monitor > Firewall. Select the jill account and select De-authenticate.  
Authenticate using jack‘s credentials. The Tor browser will be blocked.
Go to System > FortiView > Applications and select the now view. You will see that Tor traffic has been blocked.  

For further reading, check out Application control in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Matan

    How about blocking tor inbound traffic?
    For example aplication control for vip policy used inbound (web server)?

    • Zack A

      Would love to see a solution for this as well!!!

      • Victoria Martin

        See the above reply.

        • Zack A

          Thanks so much. Wasn’t sure if it worked on inbound flow.

    • Victoria Martin

      Hello Matan, sorry for missing this comment earlier!

      The security profile blocking Tor can be applied to a security policy for inbound traffic as well. As for your specific example, we are adding that to our to-do list for future topics.