Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
1
Helpful
2
Replies

FTD blocking connection to OpenDNS

Go to solution
AigarsK
Level 1
Level 1

‎09-14-2023 12:07 AM

Hi All,

I am running FTD2120 pair in HA, software code 7.0.4 with VDB build 371. I noticed that there is increased counters for Malware blocks against Security Intelligence coming from our user base. We have deployed Cisco Umbrella in our environment which has been implemented for past 3 months.

FTD reports that following IP address is blocked 146.112.56.158, reason IP Block, Security Intelligence Category: Malware. At the same time there are loads of connection to the same IP address which goes through no issues, this same IP Block is seen across other IP addresses which belong to OpenDNS.

Any suggestions as to what is happening here and means to resolve it? I could use Prefilter Rule, but this should not be happening in first place.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dwillia5@highpoint.edu
Level 1
Level 1

‎09-15-2023 04:54 AM

AigarsK,

I see the same behavior on our network running two 9300s in an HA pair.  What I believe is happening is the original IP is being passed to OpenDNS and if the site is blocked, the packet coming back has the OpenDNS IP address attached rather than the original IP. 

I think we could definitely solve this by running a packet capture to a known blocked site and see if the header is appended.

 

Donnie

View solution in original post

2 Replies 2

Go to solution
dwillia5@highpoint.edu
Level 1
Level 1

‎09-15-2023 04:54 AM

AigarsK,

I see the same behavior on our network running two 9300s in an HA pair.  What I believe is happening is the original IP is being passed to OpenDNS and if the site is blocked, the packet coming back has the OpenDNS IP address attached rather than the original IP. 

I think we could definitely solve this by running a packet capture to a known blocked site and see if the header is appended.

 

Donnie

Go to solution
AigarsK
Level 1
Level 1
In response to dwillia5@highpoint.edu

‎09-15-2023 07:43 AM

Hi Donnie,
I think you are right, I just managed to locate IP Block which included the URL, it was also blocked on Umbrella for the same user and source IP.
Would still like to find out how to prevent these double detections/blocks from appearing in FTD as they serve no value to report on.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card