In this article, we're going to show you how the reputation services (IP Reputation, URL Threat Filter and DNS Threat Filter) work and how they are used.
Table of Contents
1) IP Reputation
1a) IP Reputation - how does it work?
1b) IP Reputation - how is it used?
2) DNS Threat Filter
2a) DNS Threat Filter - What is it?
2b) DNS Threat Filter - How is it used?
3) URL Threat Filter
3a) URL Threat Filter - what is it?
3b) URL Threat Filter - How is it used?
4) Encountering potential problems with the filter?
When it comes to the Reputation Filter (enabled by default), we need to consider that we are talking about 3 services:
- IP Reputation
- DNS Threat Filter
- URL Threat Filter
Note! These services require a license and can only be applied on the ATP series
1) IP Reputation
1a) IP Reputation - how does it work?
IP Reputation is blocking IP addresses which are based on the categorization and databases that are known on the internet. If an IP has been known to be e.g. port scanning firewalls before, it will have a bad reputation where the firewall will automatically block that IP once it tries to access the firewall.
1b) IP Reputation - how is it used?
By default, all the Cyber threats are ticked and should be left like that. However, sometimes it could be missing some categorizations which will lead to IPs getting blocked that should not be blocked. In that case, you need to create an "Allow List" by enabling the white list and then adding the IPs you want:
You can also create a block list as well as an External block list where you can import a (*.txt) file with the IP entries seperated by a new line with either the IP format or CIDR:
2) DNS Threat Filter
2a) DNS Threat Filter - What is it?
DNS Threat filter is blocking domain names which are based on the categorization and databases that are known on the internet. If a domain has been known to be e.g. phishing from before, the firewall will automatically block that domain once a user tries to access that domain name.
2b) DNS Threat Filter - How is it used?
The DNS Threat Filter works as the IP Reputation, where you can allow and block malicious websites by looking at the known DNS. You can enable this service to block malicious domains by for example redirecting the users to another site. By default the DNS Threat filter is off, enable it by ticking the box.
Note! There is no possibility to create an external block list for importing a DNS list.
If you are experiencing problems with the DNS Threat filter, you can set "log" to yes to easier troubleshoot the issue.
3) URL Threat Filter
3a) URL Threat Filter - what is it?
URL Threat filter is blocking specific URLs which are based on the categorization and databases that are known on the internet. If a URL has been known to be e.g. malicious from before, the firewall will automatically block that domain once a user tries to access that domain name.
3b) URL Threat Filter - How is it used?
The URL Threat Filter works like the IP Reputation, where you can allow and block malicious URLs by looking at the known URLs found in the database. You can enable this service to block malicious URLs by for example redirecting the users to another site. By default the URL Threat filter is off, enable it by ticking the box.
You can also create a block list as well as an External block list where you can import a (*.txt) file with the IP entries seperated by a new line with either the complete URL format or hostname with a wildcard:
Note! If any of the entries in the document contains a invaild entry, the firewall will not use the file. Maximum entries in the blocklist can contain up to 50 000 entries (A warning is displayed if the maximum entries are reached).
If you are experiencing problems with the URL Threat filter, you can set "log" to yes to easier troubleshoot the issue.
4) Encountering potential problems with the filter?
I cannot access a Web page, how can I see if a e.g. URL is blocked by the URL Threat Filter?
1. Go to MONITOR > Security Statistics > Reputation Filter and enable "Collect Statistics" and access the web site again. Please also get the URL of the website.
2. Check the list of URL Detected.
3. Go to MONITOR > Log > View Log and select category "URL Threat Filter" and look at the pages being blocked.
Comments
0 commentsPlease sign in to leave a comment.