Solved: DFC not blocking connections to IP addresses in custom IP Block List

AlexH. · ‎04-17-2022

I have created a policy for windows machines in which I have enabled DFC and configured the setting to 'Block'. I then configured a custom IP block list and entered a list of some IP addresses, and associated this block list to the above policy. When i generate traffic to these IP addresses, I do see events being generated under event analysis, however, connections to these IP addresses are not getting blocked. (I am testing this with a file transfer, so the connection and file is actually benign).

Can we block the connections to certain IP addresses by using custom block lists? or even if we add ip addresses to the custom block list, it will observe the connections to see if there is anything malicious in the connection, and block it only if it detects anything malicious?

Troja007 · ‎04-19-2022

Hello @AlexH. ,
I assume Secure Endpoint is working here as expected. DFC is not designed to be used like a firewall where to block an IP at any time for any connection. Access to the IP is blocked for a specific amount of connections. This should ensure, that we block an active threat and to remove it with all the other technologies.

Greetings, Thorsten

View solution in original post

Troja007 · ‎04-19-2022

Hello @AlexH. ,
I assume Secure Endpoint is working here as expected. DFC is not designed to be used like a firewall where to block an IP at any time for any connection. Access to the IP is blocked for a specific amount of connections. This should ensure, that we block an active threat and to remove it with all the other technologies.

Greetings, Thorsten