With OneView's Web Protection enabled, inbound website detections from public IP addresses can be expected when there is an open port exposed to the internet. Detections displaying the following results are blocked because the public IPs have a known history of abuse:
- Type: Inbound Connection
- Action Taken: Blocked
- Category: Website
Note: If you suspect the detections are a false positive, inform our support and research teams so they can investigate and validate it. If they determine it is safe, they will remove the block. For more information, see Report a false positive to ThreatDown.
Assess whether the inbound ports are intentionally or unintentionally left open and take appropriate action.
If the inbound ports are unintentionally open and you want to prevent these detections, close the inbound ports on the router or firewall appliance rules the endpoint is behind. If the ports appear to be closed but the detections still occur, verify that Universal Plug and Play is disabled in the router.
If the inbound ports are intentionally left open and you want to reduce the number of detections in OneView, verify if your firewall appliance supports a feature such as geo-blocking. For additional information and recommendations, see https://www.threatdown.com/blog/how-to-protect-rdp/.
Note: If the inbound detection shows port 0, then the detection corresponds with Internet Control Message Protocol.
Detections categorized as Remote intrusion with the Inbound Connection type can occur based on your existing Brute Force Protection trigger settings as specified in your OneView policies. For more information, see Protect your environment from brute force attacks with OneView.