Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Block users from using Tor

The title says it all.

How do I block users from using the Tor network to bypass the firewall?

All I'm able to find is that Tor uses port 9001 (TCP) by default but switches to any other open port (80,443,25,23,22, etc) when it's blocked.

Blocking those 'backup' ports is obviously not the right way, so I'm looking for inspect rules or any other way to classify and block Tor.

Everyone's tags (4)
Cisco Employee

Re: Block users from using Tor

Hi Frank,

I did a quick capture to look at the Tor client while it is connecting. It looks like it encrypts most of the connection traffic, so all your users would probably need to first connect through a proxy that could decrypt the connection and block it that way. Tor is designed to be very resilient, so I don't think you'll find a feasible way to block it at the firewall.

Hope that helps.


New Member

Re: Block users from using Tor

I was afraid of that.

Plan B would be to tell the AV software to block the Tor executables by default, but files are easily renamed and versions change so file hashes are useless.

Plan C is making the use of firewall bypassing software an offense punishable by death.

Cisco Employee

Re: Block users from using Tor


One alternative could be to tie down the inside interface access-list to a

specific list of allowed ports. From what I understand of working of Tor, it

tries to relay through multiple hosts and for that, the relay servers setup

certain ports. So, if you limit the inside network access to normal ports

like 80/443, and 53, then the access will be limited to these ports. Now,

you can configure HTTP inspection to limit Tor access on port 80 as well

(you might take a performance hit when you configure http inspection). This

will limit the Tor users to use only port 443 for relay.

Hope this helps.



New Member

My way to block tor is

My way to block tor is this

do you have all IP addresses

do you have all IP addresses of TOR servers?


palo-alto firewall can block tor because it has protocol inspection

New Member

If you check my my link,

If you check my my link, there are around 6500 server I need to copy paste into botnet blacklist.

I admit its not automatic way to block tor, but at least its work. I already test that.

If management have budget, of course they can buy another easier to manage device.

Its just one alternative to block tor


CreatePlease to create content