There are two ways you can cause the firewall to place
an IP address on the block list:
Configure a Vulnerability Protection profile with a rule
to Block IP connections and apply the profile to a Security policy,
which you apply to a zone.
Configure a DoS Protection policy rule with the Protect action
and a Classified DoS Protection profile, which specifies a maximum
rate of connections per second allowed. When incoming packets match
the DoS Protection policy and exceed the Max Rate, and if you specified
a Block Duration and a Classified policy rule to include source
IP address, the firewall puts the offending source IP address on
the block list.
In the cases described above, the firewall automatically blocks
that traffic in hardware before those packets use CPU or packet
buffer resources. If attack traffic exceeds the blocking capacity
of the hardware, the firewall uses IP blocking mechanisms in software
to block the traffic.
The firewall automatically creates a hardware block list entry
based on your Vulnerability Protection profile or DoS Protection
policy rule; the source address from the rule is the source IP address
in the hardware block list.
Entries on the block list indicate in the Type column whether
they were blocked by hardware (hw) or software (sw). The bottom
of the screen displays:
Total Blocked IPs
of the number of blocked IP addresses the firewall supports.
Percentage of the block list that the firewall has used.
To view details about an address on the block list, hover over
a Source IP address and click the down arrow link. Click the Who
Is link, which displays the Network Solutions Who Is feature, providing
information about the address.