- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-02-2012 01:33 AM
Hello,
is it possible to show a list of automatically blocked IP addresses (example: Threat prevention for Brute-Force Attacks).
And is it possible to remove an IP from that list?
Thanks
Jörg
10-02-2012 06:50 AM
Hello,
Currently there is no way to view/add/remove from the list of IPs that are blocked via vulnerability profile 'block-ip' option. There is a feature request open and I would recommend reaching out to your sales team so we can work to add this feature in a future release.
*EDIT* -- there is option to show/reset the block-table
> debug dataplane show dos block-table
> debug dataplane reset dos block-table
Cheers,
Stefan
10-02-2012 01:54 AM
Hi Jorg,
As far as I can recall, there is a work around to get the list of ip-addresses that the firewall block by threat.
You can create a custom report for the threat log to query action==deny. Or you can filter the threat logs with action eq deny as follows and export to csv.
In order to allow that threat or in case of False positive you can add an exception to threat in the security profile that is configured under Objects > Security Profiles >Antivirus > select the profile > Virus Exception
You cannot create an exception to an ip-address in the security profiles.
Let me know if that helps.
Regards,
Parth
10-02-2012 02:29 AM
OK, thanks!
Actually I don't want an exception. I just want to remove an IP, if it is blocked after testing.
It's OK for me. The time I set for blocking is expired
In future I'll test with a short time and if it works, I'll increase the time
Regards
Jörg
10-02-2012 06:50 AM
Hello,
Currently there is no way to view/add/remove from the list of IPs that are blocked via vulnerability profile 'block-ip' option. There is a feature request open and I would recommend reaching out to your sales team so we can work to add this feature in a future release.
*EDIT* -- there is option to show/reset the block-table
> debug dataplane show dos block-table
> debug dataplane reset dos block-table
Cheers,
Stefan
01-31-2024 08:16 PM
Did that feature request ever get implemented?
05-02-2024 10:32 AM
I'm wondering the same! 😕
06-06-2024 09:05 PM - edited 06-06-2024 09:07 PM
According to recent documentation, April 2024, every version from 9.1 to 11.1 are *supposed* to have a "Blocked IP" option under the Monitor tab.
I don't see it via Panorama or directly on the device, however, I just added the block-ip to a couple of vulnerabilities and maybe (far reaching) the firewall has to block an IP address before that option populates under the Monitor tab?
Strange that PAN has not responded to this question.
See this link for 9.1
06-07-2024 04:53 AM
So after more research in the wild it appears the larger firewalls have a block ip list in the monitor tab. It’s between session browser and botnet. It’s on the 5220s that I’m working with but not the azure vm firewalls nor the 440s in my lab. Strange that there is a hardware difference in this functionality.
06-07-2024 07:07 AM
I can confirm that the option exists on older 5260s and new 5420s, but does not exist on newer 3430s
Is the a 5000-series option?
What happens if you have the Action set to Block IP but you don't have the Monitor - Block IP List to see them? (still blocked for the configured time?).
The randomness of features between series is proving very frustrating.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!