The following steps are best practices for handling a situation when a connection to a website is being blocked unexpectedly:
Add Blocked IPs to Allow List
The first option should always be to add IPs being blocked to an Allow List in the Threater Portal, whenever possible. Recommended steps are:
Perform an nslookup for the domain. We recommend using the Google Admin Toolbox to do this (A name lookup).
Using the CDN Finder tool, look up the domains for all CDNs and secondary hosts for the website being blocked. Then do an nslookup for these domains as well.
Take the IP(s) associated with the domain as found above and add it to a manual Allow List in the Threater Portal. Make sure the Allow List you add it to is enabled in your active policies.
For informational purposes, you can also look up the IP using the IP/Domain Indicator Search in the Portal. Click on the magnifying glass icon at the top right of the page. This will tell you if the IP appears on our third-party Threat Lists or any Block Lists available to customers out of the box.
If following the steps above and adding the IP(s) to an Allow List does not resolve this issue, continue with the additional steps below. Note that adding a domain to a Domain Allow list will likely not resolve the issue. See our helpdesk article regarding Blocking and Allowing by Domain as well as our Enforce Policy Enforcement guide for details.
Review Packet Logs via Threater Enforce Software UI
If you have looked up the IPs that are used to fully resolve the website using the steps above, added them to an allow list, and are still having an issue, the next step would be to review the logs in your Threater Enforce software UI. After logging into the Enforcer software UI, go to Logging > Internal Logs in the left menu. The default view on the Internal Logs page displays the Packet logs, which are the logs you'll want to review. Within the filter controls on the Packet logs, change the direction filter from All to Outbound and the verdict filter from All to Deny (which shows blocked connections). See the screenshot below for assistance.
Open a separate browser window (side by side with the browser you are using to review the logs, if possible). In this window, go to the website that you are trying to access, and use the browser tools to reload the page very quickly 8 to 10 times. Then go to the Internal Logs page in the other window and click the Reset link (as seen in the screenshot below) to reload the log data.
In the log data, look for a connection to the same Destination IP that is repeated multiple times in a row. Take this IP and add it to your desired manual Allow List to see if this resolves the issue.
Websites using Rotating IPs or IP Blocks
It is not uncommon for websites that are hosted in the cloud or services run by specific companies or products to use rotating IPs or pull from a block of assigned IPs. After taking the steps above to identify the IPs that are being blocked in the logs, you can utilize the following options to help overcome the issue.
Add an IP Range to an Allow List
When adding an IP to a manual Allow List, you can use the maskbit field to add a range of IPs. This step is not recommended unless you are sure the full range of IPs is safe to allow. If you are confident there is a pool of IPs being used for a specific service and not being used by other parties (like cloud-hosted sites which bad actors can infiltrate), then this is an option to consider.
Blocked by Single ASN
If the traffic being blocked is coming from a single ASN (autonomous system managed by a host), and it is an ASN you trust (or ASN specific to the company/service you are using), you can consider temporarily or allowing all traffic for the ASN using Risk Thresholds in the ThreatBlockr admin console. To do this:
In the Threater Portal, click on IPs by ASN in the left menu and then select ASN. Search for the name of the ASN (e.g. "Docusign") and hit enter. Select Allow and click Save. This will ensure that any connection from an IP associated with the ASN will be allowed. Use caution as this will open up connections for all IP hosted by the ASN, which could be a security risk.
Edit your Outbound Policy
Another option is to temporarily edit the policy being used to adjust a specific area of blocking. This is done within the ThreatBlockr admin console by clicking on Policies in the left menu and selecting Edit on the Policy line.
IPs by Country - temporarily unblock the country in question in your policies in the Portal, or use risk thresholds to lower the scores associated with IPs on threat lists for specific countries.
Block Lists - temporarily disable individual block lists causing issues, or temporarily disable all in the Portal.
Threat Lists - temporarily adjust the risk thresholds for categories in the Portal. We recommend just making the adjustment to your Outbound policy, leaving your Inbound policy as is. When making an adjustment, try raising the threshold slightly at first (e.g. moving from 90 to 92 or 95) to see if this resolves your issue. As a last resort, you could consider disabling a specific category that is causing issues with unexpected blocking - though that is not something we would typically recommend. Note that there isn't currently a way to disable an individual threat list, and any adjustment to the risk thresholds will impact protection for both the Webroot and Proofpoint threat feeds.
Allow All Policy
If all of the above fails to address your issue, the best emergency solution is to change the linked policy on the ThreatBlockr appliance from the current policy to the Allow All policy. Note that Domain Block lists will still be enforced, so if desired you'll need to disable them on the Domain Block List page in the Portal.
Lastly, the final solution if there is still a problem when the Enforcer is utilizing an Allow All policy, place the device in bypass mode. The reason for moving to an Allow All policy rather than simply placing it into Bypass mode is that traffic will continue to be logged when in Allow All mode, however, if placed into Bypass the traffic will not be logged. When we get to this point, it may require troubleshooting relating to a hardware issue.
Reporting an Issue
If you have found a website that is being blocked due to an IP included in the Webroot BrightCloud threat list and you believe it should not be, you can submit a change request at the following link - https://www.brightcloud.com/tools/change-request.php. If you have found a website that is being blocked due to an IP included in another threat or block list and you believe it should not be, please send an email to email@example.com and provide the IP being blocked, the domain of the site you are trying to reach, and the list it appears on and we will reach out to our threat intelligence partner to address the issue.
If you have any questions or need further assistance, please reach out to our support team at firstname.lastname@example.org or call us at 1-855-765-4925, ext. 2.
Download a PDF version of this documentation in multiple languages (translation via Google ):