Opened session remains after threat triggered block-ip. WTF!

cancel
Showing results for 
Search instead for 
Did you mean: 

Opened session remains after threat triggered block-ip. WTF!

L2 Linker

Hi, I've been testing the block-ip action in spyware DNS signatures. I was an RDP session before the threat triggered the block-ip action. Then, no more connections are allowed (what is OK), but the RDP session remains open.

 

Is this a normal behaviour? I think the FW should reset all the sessions previosly established for the blocked IP, shouldn't it?

 

Thanks!

1 REPLY 1

L7 Applicator

Hi

 

with the block-ip action set, the malicious session will be terminated and any new sessions will be blocked before they are created, but existing sessions could remain open as they were established before the malicious event.

scanning on this active session will continue and if any malicious packets are identified in that session, it will also be terminated

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!