Threat Prevention or Threat Prevention License
The firewall maintains a block list of source
IP addresses that it’s blocking. When the firewall blocks a source
IP address, such as when you configure either of the following policy
rules, the firewall blocks that traffic in hardware before those
packets use CPU or packet buffer resources:
DoS Protection policy rule with the action to
classified DoS Protection policy specifies that incoming connections
match a source IP address, destination IP address, or source and
destination IP address pair, and is associated with a Classified
DoS Protection profile, as described in DoS Protection Against Flooding
of New Sessions).
IP address blocking is supported on PA-3200 Series, PA-5200 Series,
PA-5400 Series (excepting the PA-5450), and PA-7000 Series firewalls.
can view the block list, get detailed information about an IP address
on the block list, or view counts of addresses that hardware and software
are blocking. You can delete an IP address from the list if you
think it shouldn’t be blocked. You can change the source of detailed
information about addresses on the list. You can also change how
long hardware blocks IP addresses.
View block list entries.
Block IP List
Entries on the block list indicate in the Type column whether
they were blocked by hardware (hw) or software (sw).
View at the bottom of the screen:
Total Blocked IPs
of the number of blocked IP addresses the firewall supports.
Percentage of the block list the firewall has used.
To filter the entries displayed, select a value in
a column (which creates a filter in the
and Apply Filter (
). Otherwise, the
firewall displays the first 1,000 entries.
number or click
the arrows at the bottom of the screen to advance through pages
To view details about an address on the block list,
hover over a Source IP address and click the down arrow link. Click
Delete an entry if you determine the
IP address shouldn’t be blocked. Then revise the policy rule that
caused the firewall to block the address.
Block IP List
Select one or more entries and click
remove all entries from the list.
Disable or re-enable hardware IP address blocking for
While hardware IP address blocking is disabled, the
firewall still performs any software IP address blocking you have
set system setting hardware-acl-blocking [enable | disable]
To conserve CPU and packet buffer resources,
leave hardware IP address blocking enabled unless Palo Alto Networks
technical support asks you to disable it, for example, if they are
debugging a traffic flow.
Tune the number of seconds that IP addresses blocked
by hardware remain on the block list (range is 1-3,600; default
set system setting hardware-acl-blocking duration
Maintain a shorter duration for hardware block
list entries than software block list entries to reduce the likelihood
of exceeding the blocking capacity of the hardware.
Change the default website for finding more information
about an IP address from Network Solutions Who Is to
a different website.
set deviceconfig system ip-address-lookup-url
View counts of source IP addresses blocked by hardware
and software, for example to see the rate of an attack.
View the total sum of IP address entries on the hardware
block table and block list (blocked by hardware and software):
show counter global name flow_dos_blk_num_entries
the count of IP address entries on the hardware block table that
were blocked by hardware:
show counter global name flow_dos_blk_hw_entries
the count of IP address entries on the block list that were blocked
show counter global name flow_dos_blk_sw_entries
View block list information per slot on a PA-7000 Series