External Dynamic Lists for Rules

I have seen a few others on reddit and other public forums discussing this. I come from Palo Alto firewalls and I'm used to building policies for somethings using an EDL (External Dynamic List).

One primary use case for this is to specifically deny Tor exit nodes for all my inbound policies and including the block sites list. Which I can copy the Tor feed, but it updates and is dynamic. There is also many other EDL lists uses cases for hooking into for various kind of feeds. I do already have it set to temporarily block unhandled packets and that is good. But I want it where my webservers/ftp etc is blocked from these nodes as our business doesn't require any Tor based traffic.

Some examples of of what you can do -

Example 1

Example 2

Similar request on Reddit

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @AschildmeyerSTR
    If you're looking to block TOR specifically, I'd suggest checking out Application Control feature, which has definitions for it.

    There is an existing open feature request for a feature like this. The request ID is FBX-17962. If you'd like to follow it, please open a support case and mention FBX-17962 somewhere in the case description. The technician can set the case up to track that for you.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • @James_Carson said:
    Hi @AschildmeyerSTR
    If you're looking to block TOR specifically, I'd suggest checking out Application Control feature, which has definitions for it.

    There is an existing open feature request for a feature like this. The request ID is FBX-17962. If you'd like to follow it, please open a support case and mention FBX-17962 somewhere in the case description. The technician can set the case up to track that for you.

    Thank you,

    Thanks again James. Yeah I have the outbound rules for it and they do work from client to internet. My big thing is I need them on inbound from inbound to FTP/Web/VPN etc. We've had a few incidents in the past with Tor exit nodes and we just want them blocked from seeing us all together.

    I'll for sure sign up to follow that feature.

    Adam

  • Just to hijack this thread, and apologies for mentioning another vendor; Fortinet have a similar feature with their appliances where you can pick and choose dynamic list services to allow/deny or monitor.

    Having something similar on the WG side would be very beneficial.

    Understand the Application Control side, but you can only use this for Outbound traffic leaving your internal network, not for Incoming Traffic to the Firebox.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @DaveDave

    Application Control can be used in both directions, there's no limitation on that.

    If this feature would be beneficial for you, I'd suggest opening a support case and mentioning that feature request ID (FBX-17962.) That will track it for you automatically, and also add another interested party/case linked to that request in our system.

    -James Carson
    WatchGuard Customer Support

  • I think what they are looking for would not be helped by blocking TOR with AppControl on inbound rules. I think they are asking that no TOR exit nodes be allowed to attempt to connect to an incoming rule. This traffic would look like any other web traffic and not hit the app control signature. You can do this with an alias or blocked site exceptions except you need to manually keep up the list.

    I do have a RFE filed (or request linked to previous RFE) to add some sort of OPTIONAL checkbox under BotNet protection to add TOR Exit nodes. This would need the subscription partner to be able to provide that as a feed or link to one of the many available feeds. The RFE my request got linked to for this functionality is FBX-5140.

Sign In to comment.