Safe Access Many Safe Access blocks

Currently reading
Safe Access Many Safe Access blocks

Solved: Same thing was happening to me. I logged in to my Synology router > Control Panel > System > System Databases and have updated all the databases. They are set up do it automatically but for me they only update weekly so I did the all manually in hopes the this will solve the problem.

I haven't gotten another warning since 9am CST it is not almost 2pm. Hope this helps
 
Herre is the SYNO Reply:

"This block of IPs is owned by Edgecast, a CDN company. It is a false positive since it's associated with streaming apps on these devices.

You can add the IP to the exception list.

Also, make sure the Threat Intelligence Database is up to date."
 
I was seeing the same on my end and i am in canada. Seems like it was hitting all day long and then just stopped
 
Last edited:
Here’s what I received:

Thank you for contacting Synology Support. My name is Rob, and I will be assisting you today.

I understand that you are concerned about the large number of alerts coming from 192.229.211.108.

Safe Access uses the block lists from the FireHOL security project. You can read more about them at the link below.

FireHOL IP Lists | IP Blacklists | IP Blocklists | IP Reputation

As far as we can tell, there was some malicious port scanning coming from that IP address.

Problems like this can occur when data centers for major IT companies host out to other customers. If a bad actor comes in and starts performing malicious acts from a host at the data center, then the IP goes on the blocked list, even if most of the traffic is legit. This is because it is difficult to distinguish bad traffic from the good when coming from the same IP address.

Rest assured that FireHOL will investigate the issue and unblock it when they are sure the security issue has been dealt with.
-- post merged: --

So we wait?
-- post merged: --

Hello Jan,

When the issue with the IP is resolved then FireHOL will update their database and you will stop getting notifications.

Let me know if you have any questions on this and I will be happy to help.

Thanks,
 
Last edited:
Friday 2/2/24 7:53AM EST:
Quiet here, (No Emails) but I'm also now seeing 8000+ outgoing Firewall deny's on the LAN IP's to 192.229.211.108
No hits on inbound deny from that IP

So at this point, not sure if it's fixed, and I'm blocking good things... or I'm blocking incorrect things, and it's not yet fixed?

Telos??
 
More new info:

Hello Jan,

I am assisting while Rob is out.

After reviewing, our developers determined that the blocking for 192.229.211.108 is a false positive. This is a dedicated address that belongs to DigiCert. You can find this information referenced in this article from DigiCert's knowledge base.

Safe Access implements third-party databases for the network protection function (FireHOL IP Lists and Google Safe Browsing, depending on which you have enabled). As a workaround until these databases are updated, it is safe to add this address to the Safe Access exception list:

b090c9c2-c1e9-11ee-9adb-fda4de378fa2


Please let me know if you have any other questions about this topic.

Kind regards,

Susana | Senior Support Engineer
 
In an attempt to inform others.... The Outbound Firewall deny is still getting thousands of HITS....

For those who did not do this.... I've noticed a few Database Updates in the past few days.....

Has any of those updates fixed the issue. (In other words, can I disable the firewall rule Yet?)
Thanks!
 
In an attempt to inform others.... The Outbound Firewall deny is still getting thousands of HITS....

For those who did not do this.... I've noticed a few Database Updates in the past few days.....

Has any of those updates fixed the issue. (In other words, can I disable the firewall rule Yet?)
Thanks!
The easiest test is to disable the firewall rule and see if you still the the events in SA. What I might also do, since you are actively monitoring the SA events, is temporarily disable the email notifications for this event type: the activity log will still have them if they are occurring.
 
Yes, but in the days before firewall deny’s, the emails would seemingly come and go in hour’s long spurts, making me think that it was fixed, only to find out later that emails would start up again!
I had asked Support if they would be informed when this would stop and they said it’s in the hands of a third party.

So:😱😱
 
As they said, they use the FireHOL IP lists, and Google’s Safe Search. Just like they use Proofpoint’s ET Open threat signatures in Threat Prevention. Synology is not curating these lists and so are reliant on them being maintained by these third parties.
 
So today checked firewall.... Just to see the amount of activity... (no SA emails since Deny Rule outbound to 192.229.211.108)

354K of Internet 'Allows'
112K of 'Deny All'

and 30K of Deny LAN outbound to 192.229.211.108 and they are still increasing....
0 of Deny from 192.229.211.108 to any IP on LAN.
 
So today checked firewall.... Just to see the amount of activity... (no SA emails since Deny Rule outbound to 192.229.211.108)
...
and 30K of Deny LAN outbound to 192.229.211.108 and they are still increasing
The firewall takes priority so SA shouldn't alert to requests resolving to this IP.

But SA alerts because the IP filters it uses had flagged this IP as malicious. If you continue to block access using the firewall then you'll not know when the IP filters stop classifying the IP. The reason that firewall connection requests are rising is because they are requesting resolution and it is to this IP address, so they keep trying to use it.

0 of Deny from 192.229.211.108 to any IP on LAN
The firewall isn't a packet filter, so it's unlikely that this Internet IP will initiate communications to you.


If you want to find out if the SA IP filters have stopped classifying the IP address as malicious then you could temporarily disable the outbound firewall rule. You should be able to see the rate of hits on the rule before disabling it, so you can be pretty sure how long you have to wait with it off.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I tend to use pihole and unbound, pihole is very good for getting rid of ads, and you can run it in a...
Replies
4
Views
1,100
I have a running ticket with Synology support and I have been troubleshooting this issue where a device...
Replies
13
Views
2,692
Ok. I will have to explore this a little more with my own devices some on 15.7 and others on 16. Thanks...
Replies
5
Views
3,578
Release Notes for Safe Access Description: Safe Access integrates advanced parental control and...
Replies
0
Views
2,073
Some very quick testing... My normal SRM firewall rules include specific outbound rules to permit LAN...
Replies
6
Views
3,965

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top