Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=active-threat-response-troubleshoot

Troubleshoot Active threat response

IoC wasn't blocked.

Make sure you've configured the required settings and rules. See Requirements for threat feeds.

If an IoC isn't blocked, make sure it doesn't belong to the Active threat response, web, and decryption exclusions as follows:

  1. Active threat response: Click Threat exclusions and make sure the list doesn't contain the IoCs or the network hosts making the request.

  2. Web policy: Make sure the domains and URLs aren't part of a web policy with Action set to Allow.

    1. Go to Active threat response and click Logs to open Log viewer.

    2. Select Web filter in the drop-down list and look for the IoC in the Category column.

      You can also search for the domain.

      Select web filter and search.

    3. To see the ID of the firewall rule that allowed the domain or URL and the web policy selected in the firewall rule, click the detailed view Detailed view of logs. icon.

      Note

      You can create a URL group and add it to a web policy with Action set to Block. Add the policy to a LAN-to-WAN firewall rule, and position the rule above the one that allowed the domain or URL.

  3. Web and SSL/TLS exclusions: Check the exclusions for the web filtering mode you use.

    • If you use Web proxy, go to Web > Exceptions and make sure none of the exception rules have the following settings:

      1. URL pattern matches, Web categories, or Destination IP addresses that match the IoC.
      2. Source IP addresses that match the user's endpoint making the request.

    • If you use DPI engine, do as follows:

      1. Go to Log viewer, select SSL/TLS inspection in the drop-down list, and look for the URL in the Server name column.

        You can also search for the URL.

      2. In the Action column, make sure the SSL/TLS inspection rule matching the traffic has its Action set to Decrypt.

      3. If it's set to Don't Decrypt, look for the rule ID in the SSL/TLS rule column.

        Note

        URLs must be decrypted. So, you can create a URL group and add it to an SSL/TLS inspection rule with Action set to Decrypt and position the rule above the one that allowed the URL.