Configuring Threat Prevention in SD-WAN Router

Overview

Threat Prevention is a lightweight security feature that uses real-time threat intelligence powered by Webroot Brightcloud to block high risk Internet traffic. Threat Prevention blocks Internet hosts that may be associated with Spam, Mobile Threats, Tor Proxy, Keyloggers, Malware, Spyware, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, or Compromised Proxy.

URL Reputation versus IP Reputation
Threat Prevention uses two types of reputation lookups depending on the type of traffic. For outgoing HTTP or HTTPS traffic, Threat Prevention uses the URL reputation lookup. For all other network traffic, Threat Prevention uses the IP reputation lookup.

Enabling or Disabling Threat Prevention
Threat Prevention is enabled by default and blocks Internet IP addresses with a High Risk reputation. You can manage the Threat Prevention service in Settings > Services > Threat Prevention.

sdwr-tp-main.png

Adjusting the block sensitivity
To increase the sensitivity of Threat Prevention, move the slider to the right.
Note: blocking Suspicious and Moderate Risk IP Addresses may prevent some legitimate types of Internet traffic and should be set with caution.

Redirecting users to a block page
Threat Prevention applies to all types of network traffic in both directions. For outgoing HTTP / HTTPS traffic, you have the option to redirect the user’s web browser to a block page if the IP address is blocked. Otherwise, Threat Prevention rejects the connection and the web browser returns a general connection failure message to the user.

To enable the redirect for web based Internet traffic, toggle Enable HTTP/HTTPS redirect for blocked pages.

Note: For HTTPS traffic, the redirect behavior causes web browsers to prompt the user with a security warning before proceeding to the denial page. Therefore the redirect option may not be preferred in most cases.

Managing Access to the Block Page
If you enable the option to redirect users to a block page, SD-WAN Router enables two access rules permitting access to the denial page from local networks. You can manage these rules in Settings > Firewall > Access.

Adding IP Addresses to the Pass List
You can create exceptions so that specific IP addresses are excluded from Threat Prevention. To add a host to the Pass List:

  1. Click Add.
  2. In the CIDR field, enter an IP Address or network based on the CIDR format (e.g. 192.168.100.0/24). For adding a single host, specify a 32 bit subnet mask (e.g. 8.8.8.8/32).
  3. Enter a Description for your pass host.
  4. Click Add and Save to confirm the changes.
    sdwr-tp-passlist.png

Looking up IP Addresses
You can check the reputation of an IP address using the Threat Lookup dialog.
Note: The threat lookup feature uses the URL reputation lookup and therefore reflects the score assigned specifically to outgoing HTTP / HTTPS network traffic. If you wish to check the IP reputation score you can use the Brightcloud online lookup tool.

sdwr-tp-lookup.png

Reviewing blocked IP Addresses in Reports
You can view reports of blocked IP addresses in Reports. These include a searchable list of blocked IP Addresses, a chart of top blocked addresses, and a graph of blocked addresses over time. The details of each event include a timestamp, the offending IP address, and the reputation score.

sdwr-tp-reports.png

Follow
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk