How to block the source of a threat for a specific time interval
59638
Created On 09/26/18 13:44 PM - Last Modified 04/20/20 23:58 PM
Symptom
This Article Describes how to block traffic from either a Source or a source-destination pair associated with a Threat ID for a specific period of time.
Resolution
Details
This is possible in both Vulnerability Protection and Anti Spyware:
Anti Spyware
1) Go to Objects > Security Profiles > Anti Spyware Profile > Exceptions.2) Check 'Show all Signatures' and select the appropriate Threat ID. Click on the Action and select Block IP, now it is possible to set the block time from 1 Second to 3600 Seconds.
Click on Track by IP Source (Block Traffic from source) or IP Source and Destination (Block Traffic between a Source-Destination Pair).
3) The final Action Rule will look as shown below:
The profile in the Security Policy will take effect and when an attack is detected it tracks based on the Source and Destination IP address and then blocks it for 3600 Seconds.
Vulnerability Protection
1) Go to Objects > Security Profiles > Vulnerability Protection > Exceptions.2) Check 'Show all Signatures' and select the appropriate Threat ID. Click on the Action and select Block IP, now it is possible to set the block time from 1 Second to 3600 Seconds.
Click on Track by IP Source (Block Traffic from source) or IP Source and Destination (Block Traffic between a Source-Destination Pair).
3) The final Action Rule will look as shown below:
The profile in the Security Policy will take effect, and when an attack is detected it tracks traffic based upon the Source IP address or traffic between the Source and Destination IP addresses (as a pair) and then blocks it for 3600 Seconds.
Additional Information
NOTE: 'Enabled' Check Box should be checked for any changes made under the 'Exceptions' tab to take effect.