Hi there.
As I implemented WAF for one of our customers, I stumbled upon the "Block clients with bad reputation" option in WAF -> Firewall Profiles -> Filtering. Best practice is, to leave this option checked as well as it is checked by default.
UTM version is 9.508
After rollout, some users weren't able anymore to use ActiveSync with their mobile devices. Due to the logging, I got the info that somehow some source ip's are blacklisted. Since those WAN ip's are not sticky and therefore can change periodically without interaction of the user but by the ISP, the only way around this was, to leave the above mentioned checkbox unchecked.
As for example a log excerpt from this morning:
2018:03:14-10:44:17 fw_xxx httpd: id="0299" srcip="80.187.xxx.xxx" localip="78.94.111.27" size="236" user="-" host="80.187.xxx.xxx" method="POST" statuscode="403" reason="dnsrbl" extra="Client is listed on DNSRBL black.rbl.ctipd.astaro.local" exceptions="SkipURLHardening" time="83132" url="/Microsoft-Server-ActiveSync" server="webmail.xxx.xxx" port="443" query="?User=xxx.xxx&DeviceId=ASJ72ATRMP2C1938U7UHFFCBOK&DeviceType=iPhone&Cmd=Ping" referer="-" cookie="-" set-cookie="-" uid="Wqju8cCoZv4AABtFMf4AAAB1"
2018:03:14-10:44:19 fw_xxx httpd[6981]: [authz_blacklist:warn] [pid 6981:tid 4088732528] [client 80.187.xxx.xxx:26772] Client is listed on DNSRBL black.rbl.ctipd.astaro.local
Perhaps, someone can clarify for me a bit more in detail what the purpose of this option is, according to the documentation?
Thanks in advance,
toby
This thread was automatically locked due to age.
