Multiple malicious scans from the same source address - can I block IP automatically

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Multiple malicious scans from the same source address - can I block IP automatically

L3 Networker

Occasionally, I notice that the firewall has been blocking tens or even hundreds of attempts from a single source address for multiple threats.  In a case like this, it seems obvious, for someone looking at the logs, that that source IP should have been temporarily blocked and possibly banned, but that does not happen automatically.  

 

We do have some exception in our vulnerability profile that change the action from reset to block-IP, for instance, but this only applies to a specific TID.  When you have a host combining say 5 or 10 different exploits in one minute, is there a way to configure the firewall to automatically block the offending IP?

 

Thanks,

Luca

15 REPLIES 15

Hi @ash83 

 

You need to start with a log forwarding profile, there you define a specific filter for the threatlogs (you either filter on the severity or on specific threat ID or something completely different). As action you then choose to tag the source or destination IP (depending on your filter) and assign a Tag to these IPs. After that you create a dynamic address group with the criteria the tag you created for that. From this point you can use the address group in your policy to block connections from or to these IPs.

 

Hope this helps.

  • 8103 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!