Monitor Blocked IP Addresses

Advanced Threat Prevention

Monitor Blocked IP Addresses

Table of Contents

Monitor Blocked IP Addresses

Where Can I Use This?
What Do I Need?
  • NGFW
  • Advanced Threat Prevention or Threat Prevention License
The firewall maintains a block list of source IP addresses that it’s blocking. When the firewall blocks a source IP address, such as when you configure either of the following policy rules, the firewall blocks that traffic in hardware before those packets use CPU or packet buffer resources:
  • A classified DoS Protection policy rule with the action to
    (a classified DoS Protection policy specifies that incoming connections match a source IP address, destination IP address, or source and destination IP address pair, and is associated with a Classified DoS Protection profile, as described in DoS Protection Against Flooding of New Sessions).
  • A Security Policy rule that uses a Vulnerability Protection profile
Hardware IP address blocking is supported on PA-3200 Series, PA-5200 Series, PA-5400 Series (excepting the PA-5450), and PA-7000 Series firewalls.
You can view the block list, get detailed information about an IP address on the block list, or view counts of addresses that hardware and software are blocking. You can delete an IP address from the list if you think it shouldn’t be blocked. You can change the source of detailed information about addresses on the list. You can also change how long hardware blocks IP addresses.
  • View block list entries.
    1. Select
      Block IP List
      Entries on the block list indicate in the Type column whether they were blocked by hardware (hw) or software (sw).
    2. View at the bottom of the screen:
      • Count of
        Total Blocked IPs
        out of the number of blocked IP addresses the firewall supports.
      • Percentage of the block list the firewall has used.
    3. To filter the entries displayed, select a value in a column (which creates a filter in the
      field) and Apply Filter ( ). Otherwise, the firewall displays the first 1,000 entries.
    4. Enter a
      number or click the arrows at the bottom of the screen to advance through pages of entries.
    5. To view details about an address on the block list, hover over a Source IP address and click the down arrow link. Click the
      Who Is
      link, which displays Network Solutions Whois information about the address.
  • Delete block list entries.
    Delete an entry if you determine the IP address shouldn’t be blocked. Then revise the policy rule that caused the firewall to block the address.
    1. Select
      Block IP List
    2. Select one or more entries and click
    3. (
      ) Select
      Clear All
      to remove all entries from the list.
  • Disable or re-enable hardware IP address blocking for troubleshooting purposes.
    While hardware IP address blocking is disabled, the firewall still performs any software IP address blocking you have configured.
    set system setting hardware-acl-blocking [enable | disable]
    To conserve CPU and packet buffer resources, leave hardware IP address blocking enabled unless Palo Alto Networks technical support asks you to disable it, for example, if they are debugging a traffic flow.
  • Tune the number of seconds that IP addresses blocked by hardware remain on the block list (range is 1-3,600; default is 1).
    set system setting hardware-acl-blocking duration
    Maintain a shorter duration for hardware block list entries than software block list entries to reduce the likelihood of exceeding the blocking capacity of the hardware.
  • Change the default website for finding more information about an IP address from Network Solutions Who Is to a different website.
    set deviceconfig system ip-address-lookup-url
  • View counts of source IP addresses blocked by hardware and software, for example to see the rate of an attack.
    View the total sum of IP address entries on the hardware block table and block list (blocked by hardware and software):
    show counter global name flow_dos_blk_num_entries
    View the count of IP address entries on the hardware block table that were blocked by hardware:
    show counter global name flow_dos_blk_hw_entries
    View the count of IP address entries on the block list that were blocked by software:
    show counter global name flow_dos_blk_sw_entries
  • View block list information per slot on a PA-7000 Series firewall.
    show dos-block-table software filter slot

Recommended For You