Monitor Block List

There are two ways you can cause the firewall to place an IP address on the block list:
  • Configure a Vulnerability Protection profile with a rule to Block IP connections and apply the profile to a Security policy, which you apply to a zone.
  • Configure a DoS Protection policy rule with the Protect action and a Classified DoS Protection profile, which specifies a maximum rate of connections per second allowed. When incoming packets match the DoS Protection policy and exceed the Max Rate, and if you specified a Block Duration and a Classified policy rule to include source IP address, the firewall puts the offending source IP address on the block list.
In the cases described above, the firewall automatically blocks that traffic in hardware before those packets use CPU or packet buffer resources. If attack traffic exceeds the blocking capacity of the hardware, the firewall uses IP blocking mechanisms in software to block the traffic.
The firewall automatically creates a hardware block list entry based on your Vulnerability Protection profile or DoS Protection policy rule; the source address from the rule is the source IP address in the hardware block list.
Entries on the block list indicate in the Type column whether they were blocked by hardware (hw) or software (sw). The bottom of the screen displays:
  • Count of Total Blocked IPs out of the number of blocked IP addresses the firewall supports.
  • Percentage of the block list that the firewall has used.
To view details about an address on the block list, hover over a Source IP address and click the down arrow link. Click the Who Is link, which displays the Network Solutions Who Is feature, providing information about the address.
For information on configuring a Vulnerability Protection profile, see Customize the Action and Trigger Conditions for a Brute Force Signature. For more information on block list and DoS Protection profiles, see DoS Protection Against Flooding of New Sessions.

Related Documentation