Results 1 to 10 of 10
  1. #1
    Newbie
    Join Date
    Mar 2020
    Posts
    4

    Default Not ready for prime-time!

    I think there are some issues with the new Threat Prevention App. I love the concept of what was attempted here but there are major issues and bugs that I've found:

    1) Setting for 'high risk only' actually blocks anything suspicious, even though suspicious is not selected on the slider.

    2) There is some discrepancy between the IP list that Untangle is using verses the Bright Cloud page:
    Example - 3/11/2020 - 11:00am, Untangle Threat lookup shows 89.144.18.135 as suspicious, but a direct query against Brightcloud shows it as benign. Same with 199.7.202.134

    3) Reporting: For some reason, the reporting pain to view 'blocked' events is showing all events. This can cause people to assume that traffic is being blocked when it isn't. This is cosmetic but notable.

    4) Needs a setting similar to IPS that allows you to select where Threat Prevention sit in the stack. For example, the majority of 'hits' that are block by Threat Prevention are already blocked by the base firewall so you have to filter out the 'ambient noise' to figure out what actually made it through to the Threat Prevention Module.
    Last edited by ThomasTrain; 03-11-2020 at 08:37 AM.

  2. #2
    Untangler
    Join Date
    May 2018
    Posts
    58

    Default

    Thanks for the feedback Thomas. We'll go over those and see if we need to make some adjustments.
    Heather P
    Untangle Product Team

  3. #3
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,148

    Default

    The biggest problem I've seen is definitely the cdn ip's, it too aggressive even on the default setting, I've had to disable the two installs I've turned on because I don't have the time to keep up with them. It's worse than than the uncategorized category in Web Filter.

  4. #4
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,495

    Default

    Hilarious, one man's trash is another man's treasure. There are no safe spaces that make our binary world. Today, having static beliefs about a dynamic instance is the height of idiocy...I'll continue to hope for luck while taking aim at an ever moving target!
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

  5. #5
    Untangler
    Join Date
    May 2018
    Posts
    58

    Default

    Thomas, can you send some details for your issue of 'Suspicious' being blocked please? Do you have a report where you're seeing 'Suspicious' blocked, with the slider set to "High Risk"?

    Thanks,
    Heather P
    Untangle Product Team

  6. #6
    Untangler
    Join Date
    Jul 2009
    Location
    Minneapolis/Saint Paul MN
    Posts
    79

    Default

    I installed the Threat Prevention app with the default settings... set to only block "High Risk" at a client site... the client started not receiving emails from their clients sent via the @me.com, @icloud.com and @Gmail.com email domains. If you check those in the Threat Prevention app they come back as "Suspicious" however they were being block anyway. I turned OFF the app and the emails started flowing in again.... I made no other changes to the Untangle NG Firewall during this process with the exception of the upgrade to 15.0.0
    Last edited by automationstation; 03-18-2020 at 07:36 AM. Reason: additional information

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,447

    Default

    @automationstation, It would have been helpful to have started you're own thread.
    can you screenshot the report from TP when E-mails are blocked, please?
    If you think I got Grumpy

  8. #8
    Newbie
    Join Date
    Mar 2020
    Posts
    4

    Default

    Quote Originally Posted by hpaunet View Post
    Thomas, can you send some details for your issue of 'Suspicious' being blocked please? Do you have a report where you're seeing 'Suspicious' blocked, with the slider set to "High Risk"?

    Thanks,
    Yes and I posted two explicit examples that were being misreported in my OP. See below:

    Example - 3/11/2020 - 11:00am, Untangle Threat lookup shows 89.144.18.135 as suspicious, but a direct query against Brightcloud shows it as benign. Same with 199.7.202.134

  9. #9
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,447

    Default

    Quote Originally Posted by ThomasTrain View Post
    Yes and I posted two explicit examples that were being misreported in my OP. See below:
    It is new to me as well, so I might be on the wrong track, but what about the URL?
    can you post a screenshot from the report?

  10. #10
    Untangler
    Join Date
    Jul 2009
    Location
    Minneapolis/Saint Paul MN
    Posts
    79

    Default

    Quote Originally Posted by Jim.Alles View Post
    @automationstation, It would have been helpful to have started you're own thread.
    can you screenshot the report from TP when E-mails are blocked, please?
    My post was in direct response from hpaunet's request above my post "Do you have a report where you're seeing 'Suspicious' blocked, with the slider set to "High Risk"?"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2