The following steps are best practices for handling a situation when traffic is being blocked unexpectedly:
- The first option should always be to add IPs being blocked to an Allowed List in GMC, whenever possible.
- If the traffic being blocked is coming from a single ASN, and it is an ASN you trust (or ASN specific to the company/service you are using), you can consider either temporarily or permanently allowing all traffic for the ASN using Risk Thresholds in GMC.
- Another option is to temporarily edit the policy being used to adjust a specific area of blocking:
- Threat Lists - temporarily adjust the risk thresholds for categories or disable categories altogether in GMC. Note that there isn't currently a way to disable an individual threat list, and any adjustment to the risk thresholds will impact protection for both Webroot and Proofpoint.
- Denied Lists - temporarily disable individual lists causing issues, or temporarily disable all in GMC.
- Country - temporarily unblock the country in question in your policies in GMC, or use risk thresholds to lower the scores associated with IPs on threat lists for specific countries.
- If all of the above fails to address your issue, the best emergency solution is to change the linked policy on the ThreatBlockr appliance from the current policy to the Allow All policy. Note that Domain Denied lists will still be enforced, so if desired you'll need to disable them on the Domain Denied List page in GMC.
- Lastly, the final solution if there is still a problem when the ThreatBlockr is utilizing an Allow All policy, place the device in bypass mode. The reason for moving to an Allow All policy rather than simply placing it into Bypass mode is that traffic will continue to be logged when in Allow All mode, however, if placed into Bypass the traffic will not be logged. When we get to this point, it may require troubleshooting relating to a hardware issue.