threatER's Unexpected Blocks feature allows you to retrieve outbound Port 80 and 443 traffic logs from your Enforcer. The logs retrieved include the pertinent data to identify the problematic IP and make an informed decision on whether the IP should be allowed.
All Enforcers must be on at least Build 240 to access this new feature. After all the Enforcers are successfully updated to the new build, we strongly recommend you log out and log back into the threatER portal to ensure the previous cache is cleared.
Initiate Log Analysis
Log into the threatER Portal and navigate to Enforce > Unexpected Blocks. All end users can conduct the analysis but only Master Admins and Admins can add the IP to the allow list.
Select a Date Range and the Enforcers you want to query logs on. The default selections are "Last 3 Hours" and "All Enforcers." Click Submit to start the analysis.
The length of time for results to return varies based on the parameters selected, as well as network activity/connection. The progress of your analysis is available on the Unexpected Blocks tab.
You can navigate away and perform other functions within the application while your analysis is processing, but if you logout or close your browser your results will not complete.
Once your submitted query is complete, the log entries will display on the Unexpected Blocs tab. To view additional data in each entry, expand the row via the disclosure triangle in the far left column.
The following data points are available:
Field Name | Description |
Date | The Date and Time of the connected request |
Enforcer | The Enforcer associated with the IP |
Policy | The Policy or Policies associated with the IP |
Lists | The attribution of the IP and whether it is on our allow, block and/or threat lists |
Reason | The reason a connection was allowed or blocked. Reasons include Geo-blocking (Country), ASN, Block List, Allow List, Threat List or Other (Policy) |
Protocol | The network connection associated with the IP |
Country | The country origin of the IP |
ASN | The autonomous system number (ASN) that is associated with the IP |
Reverse DNS | DNS lookup of a domain name from an IP address |
WHOIS | Is the "ownership" of the IP |
WHOIS.EXTENDED | A secondary WHOIS source with additional data |
Adding IP to Allow List
Scroll over the row that contains the IP and select the icon in the far-right column:
Select the Allow list(s) that should host the IP. The colored pips next to the Allow list names indicate the following:
Color | Description |
Green | The list is enforced by the policy that blocked the IP address. Adding the IP to this List will allow it through the Networks enforced by this policy. |
Grey | The list is not Enforced by the policy that blocked the IP address. If the IP is added to this List, the IP will be allowed on the Networks Enforced by the policy. |
Red | The list is not enforced by any of your policies. If the IP is added to this list, it will continue to be blocked. |
Make any necessary edits to the IP entry. Below is the default for each field:
Field | Default Description |
Maskbits | default is 32 |
Description | default is "Added by Unexpected Blocks" |
Expiration | default is "Never" |
Click the "Ok" button to finalize the request. The IP is now added to the selected Allow lists and will be enforced by the list assigned to the policy(s).
Comments
0 comments
Please sign in to leave a comment.