High-risk GTI reputation block on its first detected connection
Hi, all, I have the following question: it is possible through GTI, I suppose it would be in the policy of limits of connection, that in the first package that you see with a high reputation, it be blocked?
I make the query because until now, I can not make that this policy to block any IP address with bad reputation in its first connection.
Re: High-risk GTI reputation block on its first detected connection
Hi, thanks for the reply, regarding your suggestion, yes if I have XFF enabled, but I think this only applies to HTTP inspection. Investigating a little more I think it is not possible for GTI to block the connections that are detected as high risk in the first detection(like port scan or port sweep). Apparently the only way is to block by SmartBlocking, the inconviente that I see with this, is that in addition to the BTP and the reputation by GTI, adds ports considered high risk, incorporating a variable that could generate false positives. I will continue investigating, but it gives me the feeling that it is not possible. I find it strange because blocking by reputation would be an efficient and inexpensive way for team resources.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.