This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF Business Rule: Web Server Protection Policy with Block clients with bad reputation: enabled, can I white-list IPs?

If I want to enable the Web Server Protection Policy "Block clients with bad reputation" feature, can I add a white-list of IPs that I want it to not check for reputation?

Microsoft has some IPs that have found their way onto the black list used for the "Block clients with bad reputation" feature.

Example:

[Tue Jul 31 10:08:55.325137 2018] timestamp="1533056935" srcip="40.100.57.197" localip="xxx.xxx.xxx.xxx" user="-" host="40.100.57.197" method="POST" statuscode="403" reason="Bad Reputation" extra="Client is listed on DNSRBL black.rbl.ctipd.astaro.local" exceptions="-" duration="704" url="/adfs/services/trust/2005/usernamemixed" server="host.domain.suffix" referer="-" cookie="-" set-cookie="-" recvbytes="2540" sentbytes="6483" protocol="HTTP/1.1" ctype="text/html" uagent="-" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="x"

I would like to keep the feature turned on to drop bad actor traffic, but ensure the IPs I know are ok to keep communicating.

This thread was automatically locked due to age.

0 FloSupport over 7 years ago
Hey AADD

You can add an exception to your existing WAF firewall rule to perform this:

You would add the IP you wanted to whitelist into the sources box

Click the appropriate box to skip Block clients with bad reputation

Let me know if you run into any issues.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 AADD over 7 years ago in reply to FloSupport

Thank you for the response.

Am I able to have multiple exception rules for the same path?
Cancel
Vote Up 0 Vote Down

Cancel
0 AADD over 7 years ago in reply to AADD

Or are you suggesting that I don't need to enter a path?
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 7 years ago in reply to AADD

Hey AADD

You should be able to enter multiple exceptions, otherwise you could also enter the root of the path that your WAF rule is configured for.

Keep me updated if you run into any issues and we can troubleshoot further.

Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 AADD over 7 years ago in reply to FloSupport

I tried adding another exceptions for the same path, it still blocked based on Bad Reputation. How do you determine which takes priority over the other?
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 7 years ago in reply to AADD

Hi AADD,

Would it be possible to enable the support access tunnel for your appliance and PM me with the ID for further investigation?

Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 AADD over 7 years ago in reply to FloSupport

The rule in question is a live rule for active services. I currently have the feature in question disabled from the protection policy. I can give you access, however, I do not want any changes made. My current rule looks like this community.sophos.com/.../adfs-waf-policy-and-rule
Cancel
Vote Up 0 Vote Down

Cancel