Monitor Blocked IP Addresses
The firewall maintains a block list of source IP addresses that it’s blocking. When the firewall blocks a source IP address, such as when you configure either of the following policy rules, the firewall blocks that traffic in hardware before those packets use CPU or packet buffer resources:
- A classified DoS Protection policy rule with the action to Protect (a classified DoS Protection policy specifies that incoming connections match a source IP address, destination IP address, or source and destination IP address pair, and is associated with a Classified DoS Protection profile, as described in DoS Protection Against Flooding of New Sessions)
- A Security Policy rule that uses a Vulnerability Protection profile
Hardware IP address blocking is supported on PA-3060 firewalls, PA-3050 firewalls, and PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls.
You can view the block list, get detailed information about an IP address on the block list, or view counts of addresses that hardware and software are blocking. You can delete an IP address from the list if you think it shouldn’t be blocked. You can change the source of detailed information about addresses on the list. You can also change how long hardware blocks IP addresses.
- View block list entries.
- Select MonitorBlock IP List.Entries on the block list indicate in the Type column whether they were blocked by hardware (hw) or software (sw).
- View at the bottom of the screen:
- Count of Total Blocked IPs out of the number of blocked IP addresses the firewall supports.
- Percentage of the block list the firewall has used.
- To filter the entries displayed, select a value in a column (which creates a filter in the Filters field) and Apply Filter ( ). Otherwise, the firewall displays the first 1,000 entries.
- Enter a Page number or click the arrows at the bottom of the screen to advance through pages of entries.
- To view details about an address on the block list, hover over a Source IP address and click the down arrow link. Click the Who Is link, which displays Network Solutions Who Is information about the address.
- Select MonitorBlock IP List.
- Delete block list entries.You might want to delete an entry if you determine an IP address shouldn’t be blocked. You should then revise the policy rule that caused the firewall to block the address.
- Select MonitorBlock IP List.
- Select one or more entries and click Delete.
- (Optional) Select Clear All to remove all entries from the list.
- Disable or re-enable hardware IP address blocking for
troubleshooting purposes.While hardware IP address blocking is disabled, the firewall still performs any software IP address blocking you have configured.
> set system setting hardware-acl-blocking [enable | disable]Leave hardware IP address blocking enabled unless Palo Alto Networks technical support asks you to disable it, for example, if they are debugging a traffic flow.
- Tune the number of seconds that IP addresses blocked
by hardware remain on the block list (range is 1-3,600; default
> set system setting hardware-acl-blocking duration <seconds>Maintain a shorter duration for hardware block list entries than software block list entries to reduce the likelihood of exceeding the blocking capacity of the hardware.
- Change the default website for finding more information
about an IP address from Network Solutions Who Is to
a different website.
# set deviceconfig system ip-address-lookup-url <url>
- View counts of source IP addresses blocked by hardware
and software, for example to see the rate of an attack.View the total sum of IP address entries on the hardware block table and block list (blocked by hardware and software):
> show counter global name flow_dos_blk_num_entriesView the count of IP address entries on the hardware block table that were blocked by hardware:
> show counter global name flow_dos_blk_hw_entriesView the count of IP address entries on the block list that were blocked by software:
> show counter global name flow_dos_blk_sw_entries
- View block list information per slot on a PA-7000 Series
> show dos-block-table software filter slot <slot-number>
Hardware IP Address Blocking
Hardware IP Address Blocking When the firewall blocks a source IP address, such as when you configure a Classified DoS Protection policy rule with the ...
Block IP List Entries
Block IP List Entries The following table explains the block list entry for a source IP address that the firewall is blocking. Field Description Block ...
Monitor Block List
Monitor Block List There are two ways you can cause the firewall to place an IP address on the block list: Configure a Vulnerability Protection ...
Extended SNMP Support
Extended SNMP Support PAN-OS support for Simple Network Management Protocol ( SNMP ) now includes the following features. To access the latest MIBs, refer to ...
Multiple-Session DoS Attack
Multiple-Session DoS Attack Configure DoS Protection Against Flooding of New Sessions by configuring a DoS Protection policy rule, which determines the criteria that, when matched ...
Monitor > Block IP List
Monitor > Block IP List You can configure the firewall to place IP addresses on the block list in several ways, including the following: Configure ...
Networking Features New Networking Features Description Tunnel Content Inspection The firewall can now inspect the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) ...
View or Delete Block IP List Entries
View or Delete Block IP List Entries Navigate the Block IP list entries, view detailed information, and delete an entry if desired. View or Delete ...
View Blocked Files
View Blocked Files Verify that your firewall can forward files to WildFire. If you have a WildFire license, verify that it is active on the ...