Severity High and medium action are getting allow instead of block

Reply
Highlighted
L2 Linker

Severity High and medium action are getting allow instead of block

Hi All,

After upgrade to 9.1.5, i noticed the Severity level high and medium threat actions are allowed and some of them are getting sinkhole. Please let us know if anyone knows why it's getting alert instead of the block in high severity. Attached screenshots

DNS-Issue-Not block.png

Highlighted
L7 Applicator

The Severity based rules are for Anti-Spyware. There is no Severity based rules for Anti-Spyware DNS.

For Anti-Spyware DNS, you define actions based on Content DNS signatures, DNS Security DNS Categories, or EDL's of type Domain.

 

Highlighted
L2 Linker

@mivaldi thanks for reply.

 

So is this expected behaviour? The same url it's getting sinkhole alternatively. I cross checked same in other firewall which is running 9.0 os and confirmed all the high, Medium and critical named as DGA Domain and spyware type are sinkholed.

Highlighted
L7 Applicator

URL's are HTTP traffic, so they don't get sinkholed. URL's are subject to URL Filtering.

Sinkhole is applied to domains, which is DNS traffic.

 

Please open a Support case so we can work with you and understand the question better.

We can come back to this post at the end of the case to share our findings with the community.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!