Why doesn't TOR Browser/proxy appear in logviewer

Hi folks,

the previous question in this thread was apparently to difficult.Today, I dibbled most of my firewall rules and then restored them until TOR was able to connect. Still nothing in the logs. But, I did find which firewall rule was allowing the TOR browser through, still nothing in logviewer showing a connection. I found that TOR would attempt to connect through port 443 on my decrypt and scan firewall rule when all other rules blocked it. Now when TOR uses port 443 the failing addresses show in the logviewer displays but if it uses a different port then nothing appears in logviewer.

I have since tightened a couple of rules that even though they had specific ports only allowed TOR still connected.

When using port 443 logviewer indicates the connection was successful, though TOR does not connect.

My findings for those that might be interested.

Ian

Hello Rfcat,

You might already know these suggestions for v18 and TOR

1. SSL/TLS should be enabled and one decryption rule should be created based on Firewall rules
2. Block invalid certificates, must be enabled in the XG
3. In your firewall rule for user's computer, you should only allow HTTPS, HTTP, preferably the XG will be the DNS resolver

Regards,

Hi Emmosophos,

thank you, I have most of those suggestions in place except for one rule that needed no checking. I have since worked out a way to check the application using that rule without causing connection failures.

the issue still stands, XG shows the connection is successful when using port 443, when using other ports there is nothing logged.

ian

Hello rfcat,

Thank you for the follow-up!

I will see if I can replicate it.

Regards,

Hi emmosophos,

Now that the application is being blocked in Applications it is appearing i the logviewer ->applications report, but why doesn't it appear when not blocked?

Ian

Hello rfcat,

Most likely because the XG is not detecting the application, do you see anything on the IPS.log?

Regards,

Hi emmosophos,

all I see in the IPS logs are my wife's MBP outlook intermittently attacking a microsoft mail server.

The IPS in the GUI shows hits but does not provide details when I click on each item.

I would suggest there is a bug in the application process where only blocked applications are logged, not successfully connected applications.

TOR browser is only partially blocked, it still establishes a connection to the relay but cannot setup a the secure tunnel. Nothing is logged for the relay connection, not a very good situation.

Ian