https://community.cisco.com/t5/network-security/ftd-blocking-connection-to-opendns/m-p/4923246#M1104237 <P>Hi All,</P><P>I am running FTD2120 pair in HA, software code 7.0.4 with VDB build 371. I noticed that there is increased counters for Malware blocks against Security Intelligence coming from our user base. We have deployed Cisco Umbrella in our environment which has been implemented for past 3 months.</P><P>FTD reports that following IP address is blocked&nbsp;<SPAN><STRONG>146.112.56.158</STRONG>, reason <STRONG>IP Block</STRONG>, Security Intelligence Category: <STRONG>Malware</STRONG>. At the same time there are loads of connection to the same IP address which goes through no issues, this same IP Block is seen across&nbsp;other IP addresses which belong to OpenDNS.</SPAN></P><P><SPAN>Any suggestions as to what is happening here and means to resolve it? I could use Prefilter Rule, but this should not be happening in first place.</SPAN></P> Thu, 14 Sep 2023 07:07:25 GMT AigarsK 2023-09-14T07:07:25Z https://community.cisco.com/t5/network-security/ftd-blocking-connection-to-opendns/m-p/4923246#M1104237 <P>Hi All,</P><P>I am running FTD2120 pair in HA, software code 7.0.4 with VDB build 371. I noticed that there is increased counters for Malware blocks against Security Intelligence coming from our user base. We have deployed Cisco Umbrella in our environment which has been implemented for past 3 months.</P><P>FTD reports that following IP address is blocked&nbsp;<SPAN><STRONG>146.112.56.158</STRONG>, reason <STRONG>IP Block</STRONG>, Security Intelligence Category: <STRONG>Malware</STRONG>. At the same time there are loads of connection to the same IP address which goes through no issues, this same IP Block is seen across&nbsp;other IP addresses which belong to OpenDNS.</SPAN></P><P><SPAN>Any suggestions as to what is happening here and means to resolve it? I could use Prefilter Rule, but this should not be happening in first place.</SPAN></P> Thu, 14 Sep 2023 07:07:25 GMT https://community.cisco.com/t5/network-security/ftd-blocking-connection-to-opendns/m-p/4923246#M1104237 AigarsK 2023-09-14T07:07:25Z https://community.cisco.com/t5/network-security/ftd-blocking-connection-to-opendns/m-p/4924082#M1104271 <P>AigarsK,</P><P>I see the same behavior on our network running two 9300s in an HA pair.&nbsp; What I believe is happening is the original IP is being passed to OpenDNS and if the site is blocked, the packet coming back has the OpenDNS IP address attached rather than the original IP.&nbsp;</P><P>I think we could definitely solve this by running a packet capture to a known blocked site and see if the header is appended.</P><P>&nbsp;</P><P>Donnie</P> Fri, 15 Sep 2023 11:54:46 GMT https://community.cisco.com/t5/network-security/ftd-blocking-connection-to-opendns/m-p/4924082#M1104271 dwillia5@highpoint.edu 2023-09-15T11:54:46Z https://community.cisco.com/t5/network-security/ftd-blocking-connection-to-opendns/m-p/4924164#M1104274 <P>Hi Donnie,<BR />I think you are right, I just managed to locate IP Block which included the URL, it was also blocked on Umbrella for the same user and source IP.<BR />Would still like to find out how to prevent these double detections/blocks from appearing in FTD as they serve no value to report on.</P> Fri, 15 Sep 2023 14:43:27 GMT https://community.cisco.com/t5/network-security/ftd-blocking-connection-to-opendns/m-p/4924164#M1104274 AigarsK 2023-09-15T14:43:27Z