Hi, I've been testing the block-ip action in spyware DNS signatures. I was an RDP session before the threat triggered the block-ip action. Then, no more connections are allowed (what is OK), but the RDP session remains open.
Is this a normal behaviour? I think the FW should reset all the sessions previosly established for the blocked IP, shouldn't it?
with the block-ip action set, the malicious session will be terminated and any new sessions will be blocked before they are created, but existing sessions could remain open as they were established before the malicious event.
scanning on this active session will continue and if any malicious packets are identified in that session, it will also be terminated
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!