04-11-2015 01:45 PM
Suppose a long time value was set for a threat where one had set the action to block-ip - say 10 minutes
Is there any way via the CLI or GUI to see the list of IP addresses that are blocked due to the threat engine?
Better still, is there a way to clear that list, or selectively clear IP addresses?
04-11-2015 08:34 PM
admin@pa0(active)> show dos-protection zone untrust blocked source
Vsys Zone Blocked IP TTL(sec)
------------------------------------------------------------------------------------------
1 untrust 166.70.8.4, 3
admin@pa0(active)>
admin@pa0(active)>
admin@pa0(active)> clear dos-protection zone untrust blocked
> all Clear all IPs
> source Specify Source IP(s) to unblock
admin@pa0(active)> clear dos-protection zone untrust blocked source 166.70.8.4
admin@pa0(active)>
admin@pa0(active)>
admin@pa0(active)> show dos-protection zone untrust blocked source
Vsys Zone Blocked IP TTL(sec)
------------------------------------------------------------------------------------------
admin@pa0(active)>
04-12-2015 12:21 AM
Thanks Jared, I'm already familiar with those commands - sadly, they do not list IP addresses that have been blocked by specific Threat IDs. They only deal with IP blocked through the DoS counters.
For example, Threat ID 40001 "FTP: login Brute-force attempt" - if the action for this is changed to "block-ip" IP source for 1200 seconds, and an IP gets blocked, then it is apparently not possible to subsequently unblock that IP again before the 20 minutes is up. As you can imagine, sometimes an important customer gets caught out by this when accessing from an out of band IP, and asks us to unblock it - not an unreasonable request - with which we are currently unable to comply.
04-12-2015 11:35 AM
run this command to see the IP listed
>debug dataplane show dos block-table
Run this command to the remove the IP. As of now I don't see a way to remove only the individual IP address. Being that these are blocked for a period of time you are less likely to have more than one IP blocked at the same time but if so this will release all of them. Then they must meet the threat criteria to be blocked again. Hope this helps
>debug dataplane reset dos block-table
UPDATE
Just test and this is how you unblock the individual IP
>debug dataplane reset dos zone L3_Untrust block-table source x.x.x.x
After running this command you may need to find the actual session and clear it from the "Discard" State
admin@PA-200> show session all filter source x.x.x.x
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
45629 ssh DISCARD FLOW x.x.x.x[36437]/L3_Untrust/6 (x.x.x.x[36437])
vsys1 10.0.0.5[22]/L3_Untrust (10.0.0.5[22])
admin@PA-200> clear session id 45629
04-12-2015 12:50 PM
That's really weird because the show dos-protection / clear dos-protection commands work perfectly in my environment... even when triggered from vulnerability protection signatures such as brute-force SSH. Here's how I'm testing:
From a client to a server, I setup a constant ping. Then, from the same client, I initiated a brute-force SSH attack against that same server. As soon as the brute-force signature is triggered, the pings stop as expected. From here "show dos-protection..." shows the client's blocked IP address. Once I "clear dos-protection", the pings start back up again.
Either this is a difference in how a specific platform behaves (I'm using a VM-300), a PAN-OS code version difference, or you're testing this differently.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
