Opened session remains after threat triggered block-ip. WTF!

Reply
Highlighted
L2 Linker

Opened session remains after threat triggered block-ip. WTF!

Hi, I've been testing the block-ip action in spyware DNS signatures. I was an RDP session before the threat triggered the block-ip action. Then, no more connections are allowed (what is OK), but the RDP session remains open.

 

Is this a normal behaviour? I think the FW should reset all the sessions previosly established for the blocked IP, shouldn't it?

 

Thanks!

Tags (3)
Community Manager

Re: Opened session remains after threat triggered block-ip. WTF!

Hi

 

with the block-ip action set, the malicious session will be terminated and any new sessions will be blocked before they are created, but existing sessions could remain open as they were established before the malicious event.

scanning on this active session will continue and if any malicious packets are identified in that session, it will also be terminated


Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!