cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
487
Views
1
Helpful
2
Replies

Lots of users suddenly get blocked by FTD Security Intelligence

Chess Norris
Level 4
Level 4

Hello,

A few days ago we started to get reports from users from different countries not being able to login to our systems any more.

In FMC I can see the IP addresses in the Security-Related Connection Events being IP blocked with the Security Intelligence category "Malware".  When I right click on the IP address, I can look the address up on Talos and it confirms that the IP address has been blocked due to malware.

Capture5.JPG

I really don’t understand why this suddenly happened and I cannot find anything common with those IP addresses (they are all behind different ISP's and from different country’s, etc.)

Do anyone have any tips for troubleshooting why SI start blocking connections?

Thanks

/Chess

 

 

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

This could be based on the incident the TALOS automatically add the IP, if you think the IP is genuine as per your information, you can raise an ticket with Talos to unblock (again they will investigate the correct information and take action).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for the suggetion. I will create a ticket and hopefully they can investigate what happened.  Is that a specific incident that you mention? 

/Chess

Review Cisco Networking for a $25 gift card