This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Too many users getting blocked by RBL on WAF

Hi there, I work for a medium sized business and we use an SG310 running UTM 9.5. Lately we've had lots of complaints that customers are getting a forbidden error when trying to access our website. When I go into the log, they're all getting blocked due to poor reputation. For a few users that I've interacted with, granting their wan IP an exception to "Block clients with bad reputation" fixed the issue.

However, this is happening more and more and I'm honestly not happy with the RBL our Sophos is currently using. TONS of false positives. Could I get some advice?

1. Where do I go to change which RBL it uses for the reputation check on the WAF?

2. Do you guys have a recommended RBL?

3. Is turning the reputation check off altogether a bad idea?

 

Thanks,

 

Dan



This thread was automatically locked due to age.
Parents
  • Just turn off that option.  WAF uses the email RBLs, and a good email RBL will blacklist residential IP addresses.   Your users are not really infected.   Wasted a lot of panic when I thought I had malware i. tbe house.

  • Or you could activate the option ‘Skip remote lookups for clients with bad reputation’, so the RBL sources aren’t used. Only GeoIP is then used and you're blocking vpn users... At least this is in the manual.
    I've done this myself and it's a little more than just disabling ‘Block clients with bad reputation’.

    Best regards

    Alex

    -

Reply
  • Or you could activate the option ‘Skip remote lookups for clients with bad reputation’, so the RBL sources aren’t used. Only GeoIP is then used and you're blocking vpn users... At least this is in the manual.
    I've done this myself and it's a little more than just disabling ‘Block clients with bad reputation’.

    Best regards

    Alex

    -

Children
No Data