Build 177 - October 18, 2024
Unexpected Blocks Enhancements
In March we released our Unexpected Blocks feature, which allows you to retrieve outbound web traffic logs on ports 80 and 443 that your Enforcers blocked. Based on feedback received, we have made several enhancements to the feature. These enhancements include how the Block Events are presented coupled with new mitigation strategies to make it easier for you to act upon the problematic IP event.
Block Events - Grouped by IP
By default, we have consolidated the duplicate IPs into groups, and the resulting IP groups are listed in descending chronological order.
The header row of the IP group will include:
- Event count - The number of unique events returned for that IP in the log set
- Extended Info icon - Clicking on this icon will display any additional information that is available for the IP (i.e. Reverse DNS, WhoIS, County, ASN, etc.). We will also display any Allow Lists the IP was found on that may be of interest when determining a proper mitigation strategy. Note that although the allow lists may display, by virtue of appearing in the log, the corresponding set of IP events were indeed still blocked.
- Date range - the first and last logged timestamp for the IP in the queried range
- Enforcer(s) - a list of Enforcers that blocked the IP event set
- Lists - the Block and Threat Lists the IP was found on
-
Category | Score | Threshold - If the IP was on a Threat List the following will display:
- Threat Category(s) for the IP
- Threat Score(s) for the IP
-
Threshold(s) set in the outbound blocking policy for that Threat Category
- The header row will be a roll-up of all categories/scores/thresholds of the child events
Note: A warning icon will display next to Fraudulent Activity and Proxy/VPN if the threshold set on these categories is less than 97. Our threat intelligence has found that these 2 categories are the most likely source of unexpected blocks and setting these 2 categories to 97 can help alleviate issues you may be having with unexpected blocks.
To view the IP’s child events, click on the chevron to the left of the IP address:
Each row will display the event-specific data for that individual timestamp.
If you prefer viewing all Block Events by timestamp, simply click on the Ungroup icon and the table will display all events in reverse chronological order.
In the Block Events table, we are also providing the ability to add columns to view the Reason why the IP was blocked and the Policy that blocked the IP. To add (or remove) these columns, click on the column icon at the top of the far-right column and then select the column(s) you would like included in the Block Events table.
Mitigation Strategies
When you have identified the IP that was being blocked, you can click on the Mitigate button in the far-right column.
Note: Mitigation can happen at the roll-up level, or at the individual event level.
You will be presented with up to 3 mitigation options. Only mitigation strategies relevant to the particular event or event set will be displayed, so you may see less than 3.
Adjust Thresholds
The Adjust Thresholds option will be presented if the IP meets the following criteria:
- On a Threat list
- Categorized as Fraudulent Activity and/or Proxy VPN
- Thresholds on the outbound blocking policy for those either of these 2 categories is less than 97
If this is the desired mitigation strategy, click on Adjust.
The outbound policies that blocked the IP will be selected by default. All other policies are also available to select.
Once the desired policy selections are made, click on the Adjust button. A confirmation modal will then display.
The Fraudulent Activity and Proxy VPN category thresholds will now be set to 97 on the applicable policy(s) and enforced accordingly.
Enable threatER Allow List
If the IP is on any of threatER’s out-of-the-box Allow lists, this option will be presented, as well as the names of the lists the IP was included on. An additional note will display if any of these lists are a CDN list.
If this is the desired mitigation strategy, click on Enable.
Select the Allow List(s) you would like to enable. The outbound policies that blocked the IP will be selected by default. All other policies are also available to select.
Once the desired policy selections are made, click on the Enable button. A confirmation modal will then display.
The IP is now added to the selected Allow list(s) and will be enforced by the policy(s) those lists are assigned to.
Add IP to (Manual) Allow List
This mitigation option is what has been available since this feature was first released and will always be available to choose from. This option gives you the flexibility to set an expiration date or remove the IP from your manual allow list(s) at a later date.
If this is the desired mitigation strategy, click on Add.
Select the manual Allow list(s) to add the IP to.
The colored pips next to the Allow list names indicate the following:
- Green - The list is enforced by the policy that blocked the IP address. Adding the IP to this List will allow it through the Networks Enforced by this policy.
- Grey - The list is not Enforced by the policy that blocked the IP address. If the IP is added to this List, the IP will be allowed on the Networks Enforced by the Policy(s).
- Red - The list is not enforced by any of your policies. If the IP is added to this List, it will continue to be blocked until and unless the list is added to policies of interest.
Make any necessary edits to the IP entry:
- Maskbits - default is 32
- Description - default is “Added by Unexpected Blocks”. We generally recommend that you update the description to be something meaningful such as tying it to a requesting end user, website, and/or discovery date.
- Expiration - default is “Never”; however, we generally recommend that you time-bound allowed-lists additions when feasible.
Once the desired policy selections are made, click on the Add button. A confirmation modal will then display.
The IP is now added to the selected Allow list(s) and will be enforced by the policy(s) those lists are assigned to.
--------------------------------------------------------------------------------------------
REMINDER: All Enforcers must be on Enforce Build 240 or greater to utilize the Unexpected Blocks feature, but it is recommended that you upgrade your Enforcers to Build 254 or greater for a more performant Unexpected Blocks experience.
Comments
0 comments
Please sign in to leave a comment.