At present no reliable way to block Tor Browser?

• https and https scanning is enabled, invalid or unknown certificates are blocked
• web filtering is enabled: proxy & tunnel category
• app filter: "filter avoidance apps" that include tor proxy, tor vpn etc. as well as "DNS Multiple QNAME, OpenVPN, QUIC, and Non-SSL/TLS traffic on port 443".
• ips settings: I didn't edit anything here

Sascha,

Please read and follow these instructions:

Regards

This KBA I already followed and implemented last year (rfcat_vk mentioned that kba on 25 May 2019 in this thread). After implementing it, Tor Browser was blocked successfully. But now it isn't blocked anymore. Checked settings in cli and re-implemented the kba, but without success.

I've been fiddling with this today. I'm also not able to prevent theTOR browser to start for 100%.
Sometimes it doesn't start sometimes it does.

What I was able to accomplish is to disable browsing from a TOR Browser session.
If you're interested please let me know.

Grtz, Peter-Paul

Yes, I am very interested in the way you disabled browser sessions.

Did you alter the settings mentioned here for better application detection?

First i created a new service (Hosts and services -> Services), like this:

(not sure if the UDP entries are necessary, added them just in case)

Then i added a new FW rule:

Finally i made sure no one is able to download the TOR Browser, so i added 'torproject.org' to URL group [Local TLS deny list] (Web -> URL groups)

The result (for me) is that the TOR Browser does start (most of the times) but browsing is not possible. I've tested with:
- "Check our Tor Browser Manual" on the opening tab of TOR Browser
- google.com
- nu.nl
- ibm.com
- sophos.com

(Also tested on an Android phone as well on an iPhone, both succesfull)

I'm interested to hear about your findings, succes.

Grtz, Peter-Paul

Thank you,

I followed your suggestions, but tor is able to connect the internet.

Maybe I missed something: are the suggested changes all you did or did you something before (like application detection etc.)?

Here are my rules:

Honestly, I seriously doubt dropping some TCP/UDP ports is enough to stop tor. It is designed to work around obstacles, you have to use application signatures etc.

Best regards

Sacha

Sorry, forgot to mention two things:
1. i did alter the settings mentioned here for better application detection?

2. i added something to my default web policy (Web -> Policies):

Grtz, Peter-Paul

Hi Sacha Roland 

You have "any service" selected on your rules.  As you have stated TOR is designed to work around proxies and firewalls such as the XG.

We have to make it harder for them to do so.  As TOR is updated more frequently, we are only able to create signatures based on the files seen in the wild.  The TOR user/dev community will not give us the file before they release it so that we can have signatures created beforehand.  

So in order to make it harder for TOR to be blocked, you have to limit ports outbound.  For DNS outbound, limit to port and DNS providers.

There are a lot of posts on here about Psiphon being blocked.  Search for them to see what else has been done to limit that application.

You should also increase the maximum amount of packets that get scanned before IPS makes a decision on what type of traffic it is.  You can do this by going to the "Console" and running command: set ips maxpkts 100

Ensure that the following settings have been set on the web proxy:

Block PUAs

Enable pharming protection

Block invalid certificates

Block unrecognized protocols

The above settings are in addition to limiting outbound ports/services and locking down any other rules with "any service" to a specific IP.

Let us know how it goes.

Thanks!

Thank you for your in-depth information. But I didn't get what I'll have to do with my "any service" settings. I am not familiar enough with the general concept. What do I have to do specifically? (Is there a how-to?)