https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-blockip/m-p/31455#M23015 <HTML><HEAD></HEAD><BODY><P>I have configured a vulnerability protection profile to blacklist the ip addresses of attackers for all brute force login attempts with the signatures provided in the threat database.&nbsp; The profile works very well.&nbsp; However, i would now like to see the list of currently blacklisted ip addresses. I know it only blacklists for up to an hour, but there has to be a command to show the current ip addresses on the blacklist.</P><P></P><P>If anyone knows it, please assist me.</P><P></P><P>Thanks.</P><P></P><P>Richard</P></BODY></HTML> Thu, 10 May 2012 14:22:09 GMT 1stalliance 2012-05-10T14:22:09Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-blockip/m-p/31455#M23015 <HTML><HEAD></HEAD><BODY><P>I have configured a vulnerability protection profile to blacklist the ip addresses of attackers for all brute force login attempts with the signatures provided in the threat database.&nbsp; The profile works very well.&nbsp; However, i would now like to see the list of currently blacklisted ip addresses. I know it only blacklists for up to an hour, but there has to be a command to show the current ip addresses on the blacklist.</P><P></P><P>If anyone knows it, please assist me.</P><P></P><P>Thanks.</P><P></P><P>Richard</P></BODY></HTML> Thu, 10 May 2012 14:22:09 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-blockip/m-p/31455#M23015 1stalliance 2012-05-10T14:22:09Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-blockip/m-p/31456#M23016 <HTML><HEAD></HEAD><BODY><P>Hi Richard,</P><P></P><P>I haven't found a command just yet, but you should be able to goto the threat logs in the webUI, create an action filter that equals "block-ip" and run the filter in the logs.</P><P></P><P>This should show you what IPs are getting blocked and when. On a side note, for this to be more real-time, you may want to enable logging at the start of the session for the rule that's logging your block-ip threats.</P><P></P><P>-Jason</P></BODY></HTML> Sun, 13 May 2012 18:32:46 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-blockip/m-p/31456#M23016 jseals 2012-05-13T18:32:46Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-blockip/m-p/31457#M23017 <HTML><HEAD></HEAD><BODY><P>Shouldnt "log on session end" be equal as "log on session start" in this case since the ip is being blocked and hence the session is ended by the firewall?</P><P></P><P>I mean comparing with last "deny &amp; log" rule in the bottom of your ruleset. Since the session its denied it shouldnt matter if you select "log on session start" or "log on session end".</P></BODY></HTML> Mon, 14 May 2012 07:10:13 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-blockip/m-p/31457#M23017 mikand 2012-05-14T07:10:13Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-blockip/m-p/31458#M23018 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You can try:</P><P></P><P>debug dataplane show dos&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; block-table</P><P></P><P>best regards,</P></BODY></HTML> Mon, 14 May 2012 15:35:46 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-blockip/m-p/31458#M23018 Fujitsu_cyberSOC 2012-05-14T15:35:46Z