Troubleshoot Active threat response
All threat feed modules
IoC wasn't blocked.
Make sure you've configured the required settings and rules. See Requirements.
If an IoC isn't blocked, make sure it doesn't belong to the Active threat response, web, and decryption exclusions as follows:
- Active threat response: Click Threat exclusions and make sure the list doesn't contain the IoCs or the network hosts making the request.
-
Web policy: Make sure the domains and URLs aren't part of a web policy with Action set to Allow.
- Go to Active threat response and click Logs to open Log viewer.
-
Select Web filter in the drop-down list and look for the IoC in the Category column.
You can also search for the domain.
-
To see the ID of the firewall rule that allowed the domain or URL and the web policy selected in the firewall rule, click the detailed view icon.
Note
You can create a URL group and add it to a web policy with Action set to Block. Add the policy to a LAN-to-WAN firewall rule, and position the rule above the one that allowed the domain or URL.
-
Web and SSL/TLS exclusions: Check the exclusions for the web filtering mode you use.
-
If you use Web proxy, go to Web > Exceptions and make sure none of the exception rules have the following settings:
- URL pattern matches, Web categories, or Destination IP addresses that match the IoC.
- Source IP addresses that match the user's endpoint making the request.
-
If you use DPI engine, do as follows:
-
Go to Log viewer, select SSL/TLS inspection in the drop-down list, and look for the URL in the Server name column.
You can also search for the URL.
-
In the Action column, make sure the SSL/TLS inspection rule matching the traffic has its Action set to Decrypt.
-
If it's set to Don't Decrypt, look for the rule ID in the SSL/TLS rule column.
Note
URLs must be decrypted. So, you can create a URL group and add it to an SSL/TLS inspection rule with Action set to Decrypt and position the rule above the one that allowed the URL.
-
-
Third-party threat feeds
A single third-party threat feed was configured. The firewall shows Storage full status.
The smaller desktop firewall appliances may not have enough disk space to store a large threat feed. If the firewall doesn't have enough space to store the full list, it shows the Storage full error. See Manage third-party threat feeds.
Synchronization status shows Failed.
Check if the threat feed file opens when you enter the URL in the browser. If it doesn't, the file may not be in the correct format. See Format of threat feeds.
Synchronization status shows SSL/TLS error.
Do as follows on Certificates > Certificate authorities based on the certificate the threat feed server uses:
- Public certificate: Verify if the CA certificate is available on the web admin console.
- Private certificate: Upload its CA certificate to the web admin console.