Unblock IP address after threat triggered block-ip

Showing results for 
Search instead for 
Did you mean: 

Unblock IP address after threat triggered block-ip

L1 Bithead

Suppose a long time value was set for a threat where one had set the action to block-ip - say 10 minutes

Is there any way via the CLI or GUI to see the list of IP addresses that are blocked due to the threat engine?

Better still, is there a way to clear that list, or selectively clear IP addresses?


L7 Applicator

admin@pa0(active)> show dos-protection zone untrust blocked source

Vsys            Zone                       Blocked IP TTL(sec)


    1         untrust             ,     3



admin@pa0(active)> clear dos-protection zone untrust blocked

> all      Clear all IPs

> source   Specify Source IP(s) to unblock

admin@pa0(active)> clear dos-protection zone untrust blocked source



admin@pa0(active)> show dos-protection zone untrust blocked source

Vsys            Zone                       Blocked IP TTL(sec)



Thanks Jared, I'm already familiar with those commands - sadly, they do not list IP addresses that have been blocked by specific Threat IDs. They only deal with IP blocked through the DoS counters.

For example, Threat ID 40001 "FTP: login Brute-force attempt" - if the action for this is changed to "block-ip" IP source for 1200 seconds, and an IP gets blocked, then it is apparently not possible to subsequently unblock that IP again before the 20 minutes is up. As you can imagine, sometimes an important customer gets caught out by this when accessing from an out of band IP, and asks us to unblock it - not an unreasonable request - with which we are currently unable to comply.

L5 Sessionator

run this command to see the IP listed

>debug dataplane show dos block-table

Run this command to the remove the IP. As of now I don't see a way to remove only the individual IP address. Being that these are blocked for a period of time you are less likely to have more than one IP blocked at the same time but if so this will release all of them. Then they must meet the threat criteria to be blocked again. Hope this helps

>debug dataplane reset dos block-table


Just test and this is how you unblock the individual IP

>debug dataplane reset dos zone L3_Untrust block-table source x.x.x.x

After running this command you may need to find the actual  session and clear it from the "Discard" State

admin@PA-200> show session all filter source x.x.x.x

ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
45629        ssh            DISCARD FLOW       x.x.x.x[36437]/L3_Untrust/6  (x.x.x.x[36437])
vsys1                                [22]/L3_Untrust  ([22])
admin@PA-200> clear session id 45629

That's really weird because the show dos-protection / clear dos-protection commands work perfectly in my environment... even when triggered from vulnerability protection signatures such as brute-force SSH.  Here's how I'm testing:

From a client to a server, I setup a constant ping.  Then, from the same client, I initiated a brute-force SSH attack against that same server.  As soon as the brute-force signature is triggered, the pings stop as expected.  From here "show dos-protection..." shows the client's blocked IP address.  Once I "clear dos-protection", the pings start back up again. 

Either this is a difference in how a specific platform behaves (I'm using a VM-300), a PAN-OS code version difference, or you're testing this differently. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!