05-10-2012 07:22 AM
I have configured a vulnerability protection profile to blacklist the ip addresses of attackers for all brute force login attempts with the signatures provided in the threat database. The profile works very well. However, i would now like to see the list of currently blacklisted ip addresses. I know it only blacklists for up to an hour, but there has to be a command to show the current ip addresses on the blacklist.
If anyone knows it, please assist me.
Thanks.
Richard
05-13-2012 11:32 AM
Hi Richard,
I haven't found a command just yet, but you should be able to goto the threat logs in the webUI, create an action filter that equals "block-ip" and run the filter in the logs.
This should show you what IPs are getting blocked and when. On a side note, for this to be more real-time, you may want to enable logging at the start of the session for the rule that's logging your block-ip threats.
-Jason
05-14-2012 12:10 AM
Shouldnt "log on session end" be equal as "log on session start" in this case since the ip is being blocked and hence the session is ended by the firewall?
I mean comparing with last "deny & log" rule in the bottom of your ruleset. Since the session its denied it shouldnt matter if you select "log on session start" or "log on session end".
05-14-2012 08:35 AM
Hello,
You can try:
debug dataplane show dos block-table
best regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
