Monitor Blocked IP Addresses
The firewall maintains a block list of source IP addresses that it’s blocking. When the firewall blocks a source IP address, such as when you configure either of the following policy rules, the firewall blocks that traffic in hardware before those packets use CPU or packet buffer resources:
- A classified DoS Protection policy rule with the action toProtect(a classified DoS Protection policy specifies that incoming connections match a source IP address, destination IP address, or source and destination IP address pair, and is associated with a Classified DoS Protection profile, as described in DoS Protection Against Flooding of New Sessions).
Hardware IP address blocking is supported on PA-3060 firewalls, PA-3050 firewalls, and PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls.
You can view the block list, get detailed information about an IP address on the block list, or view counts of addresses that hardware and software are blocking. You can delete an IP address from the list if you think it shouldn’t be blocked. You can change the source of detailed information about addresses on the list. You can also change how long hardware blocks IP addresses.
- View block list entries.
- Select.MonitorBlock IP ListEntries on the block list indicate in the Type column whether they were blocked by hardware (hw) or software (sw).
- View at the bottom of the screen:
- Count ofTotal Blocked IPsout of the number of blocked IP addresses the firewall supports.
- Percentage of the block list the firewall has used.
- To filter the entries displayed, select a value in a column (which creates a filter in theFiltersfield) and Apply Filter ( ). Otherwise, the firewall displays the first 1,000 entries.
- Enter aPagenumber or click the arrows at the bottom of the screen to advance through pages of entries.
- To view details about an address on the block list, hover over a Source IP address and click the down arrow link. Click theWho Islink, which displays Network Solutions Who Is information about the address.
- Delete block list entries.Delete an entry if you determine the IP address shouldn’t be blocked. Then revise the policy rule that caused the firewall to block the address.
- Select.MonitorBlock IP List
- Select one or more entries and clickDelete.
- (Optional) SelectClear Allto remove all entries from the list.
- Disable or re-enable hardware IP address blocking for troubleshooting purposes.While hardware IP address blocking is disabled, the firewall still performs any software IP address blocking you have configured.>set system setting hardware-acl-blocking [enable | disable]To conserve CPU and packet buffer resources, leave hardware IP address blocking enabled unless Palo Alto Networks technical support asks you to disable it, for example, if they are debugging a traffic flow.
- Tune the number of seconds that IP addresses blocked by hardware remain on the block list (range is 1-3,600; default is 1).>set system setting hardware-acl-blocking duration<seconds>Maintain a shorter duration for hardware block list entries than software block list entries to reduce the likelihood of exceeding the blocking capacity of the hardware.
- Change the default website for finding more information about an IP address from Network Solutions Who Is to a different website.#set deviceconfig system ip-address-lookup-url<url>
- View counts of source IP addresses blocked by hardware and software, for example to see the rate of an attack.View the total sum of IP address entries on the hardware block table and block list (blocked by hardware and software):>show counter global name flow_dos_blk_num_entriesView the count of IP address entries on the hardware block table that were blocked by hardware:>show counter global name flow_dos_blk_hw_entriesView the count of IP address entries on the block list that were blocked by software:>show counter global name flow_dos_blk_sw_entries
- View block list information per slot on a PA-7000 Series firewall.>show dos-block-table software filter slot<slot-number>