Monitor Tor Exit Node Blocking Activity
To identify connections on your network that originate from a Tor exit node, you can monitor your network for Tor Exit Node Blocking activity (Fireware v12.8.1 and higher and Fireware v12.5.10 and higher).
Tor Exit Node Blocking Statistics
- Select Dashboard > Subscription Services.
Tor Exit Node Blocking Log Messages
You can configure your Firebox to generate a log message if your Firebox detects Tor exit node blocking on your network. Tor Exit Node Blocking log messages show the source and destination IP address of the traffic. For example:
Mar 31 20:38:36 2022 T70 local0.warn firewall: msg_id="3000-0173" Deny Optional-1 External 60 tcp 20 63 203.0.113.1 203.0.113.2 52880 53 offset 10 S 64757224 win 61690 geo_src="NLD" geo_dst="USA" tor="tor_src" msg="blocked sites (TOR blocking source)" (DNS-00))
Tor Exit Node Blocking Notifications
The Tor Exit Node Blocking service uses a list of known Tor exit node IP addresses from Reputation Enabled Defense (RED) and adds the addresses to the Blocked Sites List. To view Tor Exit Node Blocking activity on your network, you can configure the log settings for the Blocked Sites List.
You can configure your Firebox to generate a log message or send a notification message if it blocks a Tor exit node.
- Select Firewall > Blocked Sites.
The Blocked Sites page opens. - Select the Settings tab.
- Configure the logging and notification settings as described in Set Logging and Notification Preferences.
- Click
.
Or, select Setup > Default Threat Protection > Blocked Sites.
The Blocked Sites Configuration dialog box opens. - Click Logging.
The Logging and Notification dialog box opens. - Configure the logging and notification settings as described in Set Logging and Notification Preferences.