Just one thing I wanted to confirm . In envoirements where users are using proxy to access the internet . When they try to visit any site that re-directs them to a malicious site that type of attack is usally blocked by SEP . In Firewall > Browser and stealth settings > Automatically block attacker IP address for 600 seconds is checked .
Now that proxy is being used so all traffic coming in to the user will be soruced from Proxy IP address which will then be blocked by SEP . Now to resolve this we usually uncheck this option to prevent Proxy from getting blocked . I wanted to know if we keep this option checked is there any other way we can make our SEP proxy aware as not to block the Proxy IP but block the IP address of the actual attacker.
IF I add the proxy IP in excluded hosts in IPS policy would it make any difference ?
With default out of the box firewall and IPS policies configured and enabled if the above scenerio happens would the endpoints block the IP address of the Proxy ( if the above mentioned type of a attack is detected) . Thanks