Dear Sophos UTM Experts,
We have deployed a Sophos UTM SG210 as WAF (Webserver Protection). I have used "Advanced Protection" profile with some additional static URL Hardening. The option "Block clients with bad reputation" was unchecked.
There was a URL brute force attack for more than 8 minutes from one IP address. The attacker tried all URLs possibilities and keep on getting status codes of 403/404 from Sophos UTM but luckily attack was not successful. After having a look into the the Sophos community literature, it looks like that the option "Block clients with bad reputation" generates too many false positive and "Skip remote lookups for clients with bad reputation" is better option.
Did checking ""Block clients with bad reputation" and "Skip remote lookups for clients with bad reputation" both options somehow helped blocking the IP address or attack on Sophos UTM device?
My expection is that Sophos UTM WAF should have blocked this IP somehow automatically after getting so many 403/404 status codes within a very short period of time.
How I can configure Sophos UTM WAF to block such kind of attacks on its own in future?