Monitor Blocked IP Addresses
The firewall maintains a block list of source IP addresses that it’s blocking. When the firewall blocks a source IP address, such as when you configure either of the following policy rules, the firewall blocks that traffic in hardware before those packets use CPU or packet buffer resources:
- A classified DoS Protection policy rule with the action to Protect (a classified DoS Protection policy specifies that incoming connections match a source IP address, destination IP address, or source and destination IP address pair, and is associated with a Classified DoS Protection profile, as described in DoS Protection Against Flooding of New Sessions).
- A Security Policy rule that uses a Vulnerability Protection profile
Hardware IP address blocking is supported on PA-3060 firewalls, PA-3050 firewalls, and PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls.
You can view the block list, get detailed information about an IP address on the block list, or view counts of addresses that hardware and software are blocking. You can delete an IP address from the list if you think it shouldn’t be blocked. You can change the source of detailed information about addresses on the list. You can also change how long hardware blocks IP addresses.
- View block list entries.
- Select MonitorBlock IP List.Entries on the block list indicate in the Type column whether they were blocked by hardware (hw) or software (sw).
- View at the bottom of the screen:
- Count of Total Blocked IPs out of the number of blocked IP addresses the firewall supports.
- Percentage of the block list the firewall has used.
- To filter the entries displayed, select a value in a column (which creates a filter in the Filters field) and Apply Filter ( ). Otherwise, the firewall displays the first 1,000 entries.
- Enter a Page number or click the arrows at the bottom of the screen to advance through pages of entries.
- To view details about an address on the block list, hover over a Source IP address and click the down arrow link. Click the Who Is link, which displays Network Solutions Who Is information about the address.
- Select MonitorBlock IP List.
- Delete block list entries.Delete an entry if you determine the IP address shouldn’t be blocked. Then revise the policy rule that caused the firewall to block the address.
- Select MonitorBlock IP List.
- Select one or more entries and click Delete.
- (Optional) Select Clear All to remove all entries from the list.
- Disable or re-enable hardware IP address blocking for
troubleshooting purposes.While hardware IP address blocking is disabled, the firewall still performs any software IP address blocking you have configured.
> set system setting hardware-acl-blocking [enable | disable]To conserve CPU and packet buffer resources, leave hardware IP address blocking enabled unless Palo Alto Networks technical support asks you to disable it, for example, if they are debugging a traffic flow.
- Tune the number of seconds that IP addresses blocked
by hardware remain on the block list (range is 1-3,600; default
> set system setting hardware-acl-blocking duration <seconds>Maintain a shorter duration for hardware block list entries than software block list entries to reduce the likelihood of exceeding the blocking capacity of the hardware.
- Change the default website for finding more information
about an IP address from Network Solutions Who Is to
a different website.
# set deviceconfig system ip-address-lookup-url <url>
- View counts of source IP addresses blocked by hardware
and software, for example to see the rate of an attack.View the total sum of IP address entries on the hardware block table and block list (blocked by hardware and software):
> show counter global name flow_dos_blk_num_entriesView the count of IP address entries on the hardware block table that were blocked by hardware:
> show counter global name flow_dos_blk_hw_entriesView the count of IP address entries on the block list that were blocked by software:
> show counter global name flow_dos_blk_sw_entries
- View block list information per slot on a PA-7000 Series
> show dos-block-table software filter slot <slot-number>
Block IP List Entries
Block IP List Entries The following table explains the block list entry for a source IP address that the firewall is blocking. Field Description Block ...
Monitor Block List
Monitor Block List There are two ways you can cause the firewall to place an IP address on the block list: Configure a Vulnerability Protection ...
Monitor > Block IP List
Monitor > Block IP List You can configure the firewall to place IP addresses on the block list in several ways, including the following: Configure ...
Multiple-Session DoS Attack
Multiple-Session DoS Attack Configure DoS Protection Against Flooding of New Sessions by configuring a DoS Protection policy rule, which determines the criteria that, when matched ...
View or Delete Block IP List Entries
View or Delete Block IP List Entries Navigate the Block IP list entries, view detailed information, and delete an entry if desired. View or Delete ...
Follow Post Deployment DoS and Zone Protection Best Practices
DoS and Zone Protection post-deployment best practices ensure that everything is functioning as expected and help you maintain the deployment. ...
Widget Descriptions Each tab on the ACC includes a different set of widgets. Widget Description Network Activity —Displays an overview of traffic and user activity ...
Packet Buffer Protection
Protect the firewall’s packet buffers from single-session DoS attacks that attempt to take down the firewall. ...
Customize the Action and Trigger Conditions for a Brute For...
Customize the Action and Trigger Conditions for a Brute Force Signature The firewall includes two types of predefined brute force signatures—parent signatures and child signatures. ...