From time to time, you may experience websites being blocked unexpectedly. What is the difference between an unexpected block and a false positive? This is a very important question, and is important to understand as you determine the best course of action to help resolve the issues you may experience.
“Unexpected blocks” is an umbrella term for false positives, misunderstood indicators, and blocked malicious traffic on a site you weren’t expecting to be blocked. While many use the terms “false positive” and “unexpected block” interchangeably, false positives are only one kind of unexpected block, and thus the connection shouldn’t be allowed to automatically pass through. For an in-depth look at Unexpected Blocks, we encourage you to read “The Truth About Unexpected Blocks”, an insightful blog post from our CTO.
The following steps are our recommended steps for handling a situation when a connection to a website is being blocked unexpectedly.
Step One - Utilize Unexpected Blocks feature in the threatER portal
You can now find our super handy Unexpected Blocks feature in the threatER portal. This feature allows you to retrieve outbound Port 80 and 443 traffic logs from your Enforcer. The logs retrieved include the pertinent data to identify the problematic IP and make an informed decision on whether the IP should be allowed. From there it is one simple click to add the IP in question to your allow list.
We strongly recommend using the Unexpected Blocks feature as the first step towards resolving the issue. Additional details and instructions on how to use the feature are available on our threatER portal support site.
Step Two - Adjust the Risk Thresholds in your Outbound policy
Recently, threatER updated our recommended Risk Threshold settings for Outbound policies. Through research, we have determined that the Fraudulent Activity and Proxy/VPN categories are the most likely to be the cause of problems with unexpected blocks. In order to address this, we recommend that any customer experiencing problems with unexpected blocks edit your Outbound policy and set the risk thresholds for these two categories to 97.
To do this, log into the threatER portal. Within Enforce, go to Policies in the horizontal menu. Click the vertical ellipsis on the right side of the row for your outbound policy. Select the tile for “Risk Thresholds”. Locate the Fraudulent Activity and Proxy/VPN categories and set the threshold for the two categories to 97.
As a reminder, we do recommend enabling all categories. For categories other than Fraudulent Activity and Proxy/VPN we recommend customers start at a threshold of 95 and over time test lowering these thresholds as low as you are comfortable.
Additional details and instructions on how to use the Risk Thresholds are available on our threatER portal support site.
Step Three - Locating blocked IPs and adding them to your allow list
Our Enforce software does not perform packet decryption, meaning if DNS encryption is used for the connection request our software will likely not be able to see the domain associated with the external site. For this reason, we recommend looking up the IP address(es) associated with the site as the next step. Finding IP addresses associated with the website can be done with a few easy steps.
First, perform an nslookup for the domain. We recommend using the Google Admin Toolbox to do this (A name lookup).
Next, using the CDN Finder tool, look up the domains for all CDNs and secondary hosts for the website being blocked. Then do an nslookup for these domains as well.
Take the IP(s) associated with the domain as found above and add it to a manual Allow List in the threatER Portal. Make sure the Allow List you add it to is enabled in your active policies.
For informational purposes, you can also look up the IP using the IP/Domain Indicator Search in the Portal. Click on the magnifying glass icon at the top right of the page. This will tell you if the IP appears on our third-party Threat Lists or any Block Lists available to customers out of the box.
When adding an IP to a manual Allow List, you can use the maskbit field to add a range of IPs. This step is not recommended unless you are sure the full range of IPs is safe to allow. If you are confident there is a pool of IPs being used for a specific service and not being used by other parties (like cloud-hosted sites which bad actors can infiltrate), then this is an option to consider.
If following the steps above and adding the IP(s) to an Allow List does not resolve this issue, continue with the additional steps below. Note that adding a domain to a Domain Allow list will likely not resolve the issue. See our helpdesk article regarding Blocking and Allowing by Domain as well as our Enforce Policy Enforcement guide for details.
Step Four - Review packet logs in the Enforce Software UI
If you have looked up the IPs that are used to fully resolve the website using the steps above, added them to an allow list, and are still having an issue, the next step would be to review the logs in your threatER Enforce software UI. After logging into the Enforcer software UI, go to Logging > Internal Logs in the left menu. The default view on the Internal Logs page displays the Packet logs, which are the logs you'll want to review. Within the filter controls on the Packet logs, change the direction filter from All to Outbound and the verdict filter from All to Deny (which shows blocked connections). See the screenshot below for assistance.
Open a separate browser window (side by side with the browser you are using to review the logs, if possible). In this window, go to the website that you are trying to access, and use the browser tools to reload the page very quickly 8 to 10 times. Then go to the Internal Logs page in the other window and click the Reset link (as seen in the screenshot below) to reload the log data.
In the log data, look for a connection to the same Destination IP that is repeated multiple times in a row. Take this IP and add it to your desired manual Allow List to see if this resolves the issue.
Step Five - Adding a domain to an allow list
As mentioned above, due to DNS encryption our Enforce software will not always be able to see the domain of the external site. However, in some cases the software will be able to see the DNS. In these cases, it is possible the domain could be on a domain allow list. In this case we recommend taking caution with allowing the domain, as there is very likely a good reason the domain was added to a domain block list.
In the event you do need to allow by domain, take the domain, or sub-domain, that you wish to allow and add it to a manual Domain Allow List in the threatER Portal. Make sure the Allow List you add it to is enabled for your active outbound policy or policies.
Step Six - Allow traffic from a specific Country in your Outbound policy
If you notice outbound connections being blocked due to the country the website is hosted in, you may consider unblocking the country in question in your policies. Details on managing country blocking in your policies are available in our policy documentation.
Step Seven - Enable a CDN allow list in your Outbound policy
If you notice outbound connections being blocked and the host is a CDN provider, you may consider enabling an allow list for the CDN provider in your policies. Allow lists are currently available for the following CDN hosts: Akamai, Amazon Cloudfront, Cloudflare CDN, and Fastly.
Additional details and instructions on how to enable or disable lists within your policies are available on our threatER portal support site.
Step Eight - Allow an ASN in your Outbound policy
If the traffic being blocked is coming from a single ASN (autonomous system managed by a host), and it is an ASN you trust (or ASN specific to the company/service you are using), you can consider temporarily or allowing all traffic for the ASN in the threatER portal.
In the threatER Portal, within Enforce select Policies from the menu. Click on the name of the Outbound policy. On the Outbound policy page, click on the edit icon for the ASN section. Search for the name of the ASN (e.g. "Docusign") and hit enter. Select Allow and click Save. This will ensure that any connection from an IP associated with the ASN will be allowed. Use caution as this will open up connections for all IPs hosted by the ASN, which could be a security risk.
Additional details and instructions on how to block and allow by ASNs are available on our threatER portal support site.
Step Nine - Temporarily utilize an Allow All policy for Outbound traffic
If all of the above fails to address your issue, the best emergency solution is to change the linked policy in your Network from the current policy to the Allow All policy. Use caution as this will allow absolutely everything, meaning your unexpected block problem will go away, but no protection will exist for any outbound traffic whatsoever. Details and instructions on how to edit your Network to change the associated policy are available on our threatER portal support site.
Reporting an issue
If you have found a website that is being blocked due to an IP included in the Webroot BrightCloud threat list and you believe it should not be, you can submit a change request at the following link - https://www.brightcloud.com/tools/change-request.php. If you have found a website that is being blocked due to an IP included in another threat or block list and you believe it should not be, please send an email to support@threater.com and provide the IP being blocked, the domain of the site you are trying to reach, and the list it appears on and we will reach out to our threat intelligence partner to address the issue.
Our support team is available to assist you with these issues and more. Reach out to us at support@threater.com or call us at 1-855-765-4925, ext. 2.
Feedback
We want to hear from you! Do you have feedback on our features designed to help with resolving issues with unexpected blocks? Is our documentation helpful and provide you with the tools and recommendations to resolve these issues? How do you troubleshoot and use our threatER platform to resolve issues with unexpected blocks? Are there specific publicly accessible resources on the internet that you’ve used to create and incorporate your own allowed lists? Do you have any tips or suggestions to share with us? How can we do a better job of supporting you? Please let us know!
Please reach out to our Customer Success team at customersucess@threater.com to give your feedback, share your process and tips, and help us help you and others.
Comments
0 comments
Please sign in to leave a comment.