Thank you very much for your reply.

I am in U.S. not Japan.  Yes ISP provides 107.xxx.xxx.xxx

There should be no updates from brightcloud IPs in JP region. I have no indication there should be any open connection to JP region IP addresses.

I have tried to separate the rules in the table - see rule 5 and 6 below. That has no effect that i can tell.

Denying any source or destination interface for an IP or range seems like the solution.

Would this rule be most effective at blocking access?

Denied -- IPv4: All Traffic -- Any -- 52.32.234.204 -- Any -- 52.32.234.204 -- ANYTIME

With your suggested rule, would that only block outgoing traffic to the IP 52.32.234.204 ??

And mainly, why would there be any open connection from a random IP to my ISP WAN address?

All traffic routes through ISP address of course, however, then the -- Status and Statistics -- TCP/IP Services - Established Connection Status -- would show all connections through NAT to the LAN. That only shows seven connections at most.

The documentation from Cisco is very lacking about the expected behavior of many functions in the Admin UX.

Access Rules screenshot below:

Thanks again for any suggestion.

With your suggested rule, would that only block outgoing traffic to the IP 52.32.234.204 ??

BB - you can add as many rules, if you see any suspcious like this.

I also like to see any LAN Side device compromised and sending traffic also, another way to Look.

I have seen the documentaion - Webfilter uses the brightcloud.

for now it is going to contact port 80 and 443, we can not guess what is this related, as per the IP concern, it related to brighcloud. do you have any webfilter enabled.

I do see some firesight other firepower product use below URL :

database.brightcloud.com
service.brightcloud.com

below guide for reference :

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-technote-firesight-00.html 

Hi,

Thanks again.

I have no evidence of compromised LAN side devices.

I do not use webfilter function.

I have no access to firesight product.

There should be no connection to JP region IPs

There should be no connections on the ISP IP.

I do fault very poor documentation.

What is the expected behavior of the router for that function - Status and Statistics - TCP/IP Services - Established Connection Status - ??

What is the expected behavior for the access control rules?

Your suggestion may be valid, but how much experimentation must I do?

How do I validate that anyway?

Why the H is the router admin not documented?

All the documentation does is repeat what is already in the Admin UI.

So Many Quesion i can not answer. Bur few i can.

1. The Device com with advanced security Features WebFilter  - so it required conmstant database update from the clod to protect your network (latest name called Zero Trust - and many other names)- this means you have upto date DB from Cisco.

2. I have given firesight example, to understand why brightcloud involved to know  - you do not need to spend much time on that.

3. Today trends are different, the more devices expose to internet have high risk, So your FW need to monitor and tune as per the requirement,

Hope this make sense ?

I have provided the information based on the input you have given and provided in the post screenshot, this is pure your environment and controlled by your network admin (or you).  

This is information based on the destination IP you were investigating the suspecting.52.32.234.204

This may be wrong on other side your point of view, i would suggest here to contact Cisco TAC and confirm by providing that IP address,

You still don't understand the issue. There are several foreign IP addresses connected directly to the WAN IP. Packet traces show absolutely no LAN side connection to those foreign IPs. Sorry, you have provided no meaningful or helpful information.

"You still don't understand the issue"  - As per the orginal post you were onlyconcerned about the IP you provided.

Now you have mentioned in the last post "There are several foreign IP addresses connected directly to the WAN IP"

This not make any sense for me, since you have not provide enough evidence that what IP address those are.

I am sure some this not right here for sure, you may have attacks on WAN IP, but no evidence.

I will Hold my fire to assits here, since i do not have visibility, wait for further input from you or some other can assits who can understand your issue better.