This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to show blocked IPs and how to remove a blocked IP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to show blocked IPs and how to remove a blocked IP

Go to solution
JoergK
L2 Linker

‎10-02-2012 01:33 AM

Hello,

is it possible to show a list of automatically blocked IP addresses (example: Threat prevention for Brute-Force Attacks).
And is it possible to remove an IP from that list?

Thanks
Jörg

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
sspringer
L4 Transporter
In response to JoergK

‎10-02-2012 06:50 AM

Hello,

Currently there is no way to view/add/remove from the list of IPs that are blocked via vulnerability profile 'block-ip' option. There is a feature request open and I would recommend reaching out to your sales team so we can work to add this feature in a future release.

*EDIT* -- there is option to show/reset the block-table

> debug dataplane show dos block-table

> debug dataplane reset dos block-table

Cheers,

Stefan

View solution in original post

9 REPLIES 9

Go to solution
ppatel
L4 Transporter

‎10-02-2012 01:54 AM

Hi Jorg,

As far as I can recall, there is a work around to get the list of ip-addresses that the firewall block by threat.

You can create a custom  report for the threat log to query action==deny. Or you can filter the threat logs with action eq deny as follows and export to csv.

deny.PNG

In order to allow that threat or in case of False positive you can add an exception to threat in the security profile that is configured under Objects > Security Profiles >Antivirus > select the profile > Virus Exception

You cannot create an exception to an ip-address in the security profiles.

Let me know if that helps.

Regards,

Parth

Go to solution
JoergK
L2 Linker
In response to ppatel

‎10-02-2012 02:29 AM

OK, thanks!
Actually I don't want an exception. I just want to remove an IP, if it is blocked after testing.
It's OK for me. The time I set for blocking is expired Smiley Happy
In future I'll test with a short time and if it works, I'll increase the time Smiley Wink

Regards

Jörg

0 Likes Likes

Go to solution
sspringer
L4 Transporter
In response to JoergK

‎10-02-2012 06:50 AM

Hello,

Currently there is no way to view/add/remove from the list of IPs that are blocked via vulnerability profile 'block-ip' option. There is a feature request open and I would recommend reaching out to your sales team so we can work to add this feature in a future release.

*EDIT* -- there is option to show/reset the block-table

> debug dataplane show dos block-table

> debug dataplane reset dos block-table

Cheers,

Stefan

Go to solution
JoergK
L2 Linker
In response to sspringer

‎10-02-2012 07:33 AM

OK, thanks!

0 Likes Likes

Go to solution
EricStoltz-Consultant
L0 Member
In response to sspringer

‎01-31-2024 08:16 PM

Did that feature request ever get implemented?  

Go to solution
DLONGPRÉ
L2 Linker
In response to EricStoltz-Consultant

‎05-02-2024 10:32 AM

I'm wondering the same! 😕

0 Likes Likes

Go to solution
ChuckW
L1 Bithead

‎06-06-2024 09:05 PM - edited ‎06-06-2024 09:07 PM

According to recent documentation, April 2024, every version from 9.1 to 11.1 are *supposed* to have a "Blocked IP" option under the Monitor tab.

 

I don't see it via Panorama or directly on the device, however, I just added the block-ip to a couple of vulnerabilities and maybe (far reaching) the firewall has to block an IP address before that option populates under the Monitor tab?
Strange that PAN has not responded to this question.

 

See this link for 9.1

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/monitor/monitor-block-ip-list...

 

0 Likes Likes

Go to solution
EricStoltz-Consultant
L0 Member
In response to ChuckW

‎06-07-2024 04:53 AM

So after more research in the wild it appears the larger firewalls have a block ip list in the monitor tab. It’s between session browser and botnet. It’s on the 5220s that I’m working with but not the azure vm firewalls nor the 440s in my lab. Strange that there is a hardware difference in this functionality. 

0 Likes Likes

Go to solution
ChuckW
L1 Bithead

‎06-07-2024 07:07 AM

I can confirm that the option exists on older 5260s and new 5420s, but does not exist on newer 3430s

Is the a 5000-series option?

What happens if you have the Action set to Block IP but you don't have the Monitor - Block IP List to see them? (still blocked for the configured time?).

 

The randomness of features between series is proving very frustrating.

0 Likes Likes
  • 1 accepted solution
  • 12184 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks