There is talk in the ATP about black hole. I thought on the feature request page we were going to have a manual/advanced blackhole optional list where we could add an IP and all communication from and to for all services would be blocked instantly. Will this be possible in the future?
ATP is a feature that for the 9.2 release mainly focuses on C&C/botnet related threats and updates itself frequently by intel through our Sophos Labs. It's not much of a manually configurable blackhole for now, I'm afraid...
We'll investigate the options for extending it by the requested functionality, so.
ATP is a feature that for the 9.2 release mainly focuses on C&C/botnet related threats and updates itself frequently by intel through our Sophos Labs. It's not much of a manually configurable blackhole for now, I'm afraid...
We'll investigate the options for extending it by the requested functionality, so.
Understood. It would be a nice feature somewhere, it is a pain to keep a 2 rule list of unwanted ips on the firewalls and making a host entry that I don't care about.
There a "trick" on how to block your desired IP address. The threat data, provided by SophosLabs is located here: /var/pattern/aptp/threatdata
You could edit this file, and add your desired IP. The only problem the pattern updates run few times a day and the data gets overwritten. Indeed would be a nice feature blackholing an IP address and have this option somewhere in Webadmin. But this is a PM decision. As mentioned in the Release Notes: "Much more will be released on this technology, but for now, note that we have new notifications for this engine, a new status widget for the WebAdmin dashboard, and new logging/reporting entries. " Have fun with it [;)]
be warned so: The tweak suggested above is not something I can recommend - and far from getting any of our support! Among the reasons why this will prove to be bad an idea:
- the mentioned file will be frequently updated by Sophos, effectively invalidating all manual changes - due to the dangerous nature of the content it simply may be changed to an encrypted version during beta - unannounced. - it will only partially serve your scenario as it will not automatically be a two-way blackhole
I understand, I won't be manually changing it. I would like to request an area to allow a list of IPs to be black-holed. I will add it to the feature request page. I thought what was there would have covered this.
Pardon my ignorance in the firewall (I'm a web guy) but... can't that be done with a firewall rule?
You will have to have 2 separate rules, for the source and the destination to make a 2 way block. Then you will have to have a host entry for each ip that you want. Can be a bit of a pain.
Also I believe there are some services on the UTM that can accept traffic before hitting the firewall. May be wrong on that, but I know other UTMs that work that way.
