How to show blocked IPs and how to remove a blocked IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to show blocked IPs and how to remove a blocked IP

L2 Linker

Hello,

is it possible to show a list of automatically blocked IP addresses (example: Threat prevention for Brute-Force Attacks).
And is it possible to remove an IP from that list?

Thanks
Jörg

1 accepted solution

Accepted Solutions

Hello,

Currently there is no way to view/add/remove from the list of IPs that are blocked via vulnerability profile 'block-ip' option. There is a feature request open and I would recommend reaching out to your sales team so we can work to add this feature in a future release.

*EDIT* -- there is option to show/reset the block-table

> debug dataplane show dos block-table

> debug dataplane reset dos block-table

Cheers,

Stefan

View solution in original post

9 REPLIES 9

L4 Transporter

Hi Jorg,

As far as I can recall, there is a work around to get the list of ip-addresses that the firewall block by threat.

You can create a custom  report for the threat log to query action==deny. Or you can filter the threat logs with action eq deny as follows and export to csv.

deny.PNG

In order to allow that threat or in case of False positive you can add an exception to threat in the security profile that is configured under Objects > Security Profiles >Antivirus > select the profile > Virus Exception

You cannot create an exception to an ip-address in the security profiles.

Let me know if that helps.

Regards,

Parth

OK, thanks!
Actually I don't want an exception. I just want to remove an IP, if it is blocked after testing.
It's OK for me. The time I set for blocking is expired Smiley Happy
In future I'll test with a short time and if it works, I'll increase the time Smiley Wink

Regards

Jörg

Hello,

Currently there is no way to view/add/remove from the list of IPs that are blocked via vulnerability profile 'block-ip' option. There is a feature request open and I would recommend reaching out to your sales team so we can work to add this feature in a future release.

*EDIT* -- there is option to show/reset the block-table

> debug dataplane show dos block-table

> debug dataplane reset dos block-table

Cheers,

Stefan

OK, thanks!

Did that feature request ever get implemented?  

I'm wondering the same! 😕

L1 Bithead

According to recent documentation, April 2024, every version from 9.1 to 11.1 are *supposed* to have a "Blocked IP" option under the Monitor tab.

 

I don't see it via Panorama or directly on the device, however, I just added the block-ip to a couple of vulnerabilities and maybe (far reaching) the firewall has to block an IP address before that option populates under the Monitor tab?
Strange that PAN has not responded to this question.

 

See this link for 9.1

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/monitor/monitor-block-ip-list...

 

So after more research in the wild it appears the larger firewalls have a block ip list in the monitor tab. It’s between session browser and botnet. It’s on the 5220s that I’m working with but not the azure vm firewalls nor the 440s in my lab. Strange that there is a hardware difference in this functionality. 

L1 Bithead

I can confirm that the option exists on older 5260s and new 5420s, but does not exist on newer 3430s

Is the a 5000-series option?

What happens if you have the Action set to Block IP but you don't have the Monitor - Block IP List to see them? (still blocked for the configured time?).

 

The randomness of features between series is proving very frustrating.

  • 1 accepted solution
  • 12182 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!