topic Re: Unblock IP address after threat triggered block-ip in General Topics

Unblock IP address after threat triggered block-ip

SimonBlackler — Sat, 11 Apr 2015 20:45:46 GMT

Suppose a long time value was set for a threat where one had set the action to block-ip - say 10 minutes

Is there any way via the CLI or GUI to see the list of IP addresses that are blocked due to the threat engine?

Better still, is there a way to clear that list, or selectively clear IP addresses?

Re: Unblock IP address after threat triggered block-ip

jvalentine — Sun, 12 Apr 2015 03:34:02 GMT

admin@pa0(active)> show dos-protection zone untrust blocked source

Vsys Zone Blocked IP TTL(sec)

------------------------------------------------------------------------------------------

1 untrust 166.70.8.4, 3

admin@pa0(active)>

admin@pa0(active)> clear dos-protection zone untrust blocked

> all Clear all IPs

> source Specify Source IP(s) to unblock

admin@pa0(active)> clear dos-protection zone untrust blocked source 166.70.8.4

admin@pa0(active)>

admin@pa0(active)> show dos-protection zone untrust blocked source

Vsys Zone Blocked IP TTL(sec)

------------------------------------------------------------------------------------------

admin@pa0(active)>

Re: Unblock IP address after threat triggered block-ip

SimonBlackler — Sun, 12 Apr 2015 07:21:09 GMT

Thanks Jared, I'm already familiar with those commands - sadly, they do not list IP addresses that have been blocked by specific Threat IDs. They only deal with IP blocked through the DoS counters.

For example, Threat ID 40001 "FTP: login Brute-force attempt" - if the action for this is changed to "block-ip" IP source for 1200 seconds, and an IP gets blocked, then it is apparently not possible to subsequently unblock that IP again before the 20 minutes is up. As you can imagine, sometimes an important customer gets caught out by this when accessing from an out of band IP, and asks us to unblock it - not an unreasonable request - with which we are currently unable to comply.

Re: Unblock IP address after threat triggered block-ip

jperry1 — Sun, 12 Apr 2015 18:35:45 GMT

run this command to see the IP listed

>debug dataplane show dos block-table

Run this command to the remove the IP. As of now I don't see a way to remove only the individual IP address. Being that these are blocked for a period of time you are less likely to have more than one IP blocked at the same time but if so this will release all of them. Then they must meet the threat criteria to be blocked again. Hope this helps

>debug dataplane reset dos block-table

UPDATE

Just test and this is how you unblock the individual IP

>debug dataplane reset dos zone L3_Untrust block-table source x.x.x.x

After running this command you may need to find the actual session and clear it from the "Discard" State

admin@PA-200> show session all filter source x.x.x.x

--------------------------------------------------------------------------------
ID          Application    State   Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
45629        ssh            DISCARD FLOW       x.x.x.x[36437]/L3_Untrust/6 (x.x.x.x[36437])
vsys1                                          10.0.0.5[22]/L3_Untrust (10.0.0.5[22])
admin@PA-200> clear session id 45629

Re: Unblock IP address after threat triggered block-ip

jvalentine — Sun, 12 Apr 2015 19:50:21 GMT

That's really weird because the show dos-protection / clear dos-protection commands work perfectly in my environment... even when triggered from vulnerability protection signatures such as brute-force SSH. Here's how I'm testing:

From a client to a server, I setup a constant ping. Then, from the same client, I initiated a brute-force SSH attack against that same server. As soon as the brute-force signature is triggered, the pings stop as expected. From here "show dos-protection..." shows the client's blocked IP address. Once I "clear dos-protection", the pings start back up again.

Either this is a difference in how a specific platform behaves (I'm using a VM-300), a PAN-OS code version difference, or you're testing this differently.