Currently there is no way to automatically block IPs permanently using brute force signatures. There is a user-configurable black-hole timeout value, with a maximum of 1 hour. However, you can list the current black hole IPs through the CLI and periodically add repeat offenders to a policy that permanently blocks those addresses.
thanks! it seems to work well... 🙂
what i did was clone the "strict" policy and added the exceptions and set them to "block-ip" for 3600 (1 hour)... i assume that the rest of the "strict" policy still applies but the exceptions would take over when they are met?
i mean, like if the brute-force RDP is seen, it would block-ip instead of just "drop-all=packets"... but if the PA2020 sees a remote stack overflow, it would still "drop-all-packets"...
When you configure the block-ip action for a brute force signature, you can specify a time span for the block, which currently goes up to 1 hour. You should not see successful attempts from the sampe IP against the same IP that occur inside of the time you've specified for the block-ip action.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!