Block listing traffic and how it works

Block lists contain entries for blocking traffic temporarily based on traffic patterns that the engines detect or on administrator commands.

Block listing allows you to temporarily stop traffic:
  • Without editing and installing policies (manual block listing only)
  • Based on events detected by engines
  • Based on correlation of detected events
  • On a different engine than the one that detects an event
  • On multiple engines with a single administrator command or a single detected event

Block listing makes it possible to block unwanted network traffic for a specified time. Engines can add entries to their own block lists based on events in the traffic they inspect. Secure SD-WAN Engines and Log Servers can also send block list requests to other Secure SD-WAN Engines. You can also block list IP addresses manually.

Example

A rule in the Inspection Policy detects a serious attack against a single host in your internal network. You can configure the rule to trigger automatic block listing of connections from that host to any other host in your internal networks.
Keep these limitations in mind when planning your block listing strategy:
  • Layer 2 Engines can only block list IPv4 traffic.
  • Engines and Layer 2 Engines do not enforce the block list by default. To enforce the block list, you must define the points at which the block list is checked in the Access rules.
  • If a connection is allowed by a rule placed above the block list rule, the connection is allowed regardless of the block list entries.

Automatic block listing can have unintended consequences that could disrupt business-critical traffic. Use automatic block listing with careful consideration. The following two categories represent the typical risks associated with block listing:

Table 1. Risks of block listing
Risk Explanation
Block listing legitimate connections (false positive) If the defined pattern for detecting malicious traffic is inaccurate, legitimate traffic might sometimes be block listed. Block listing legitimate connections causes service downtime for hosts that are incorrectly identified as a source of malicious traffic.
Causing self-inflicted denial-of-service (DoS) When an attacker uses spoofed IP addresses, a different (legitimate) IP address might be block listed instead of the attacker’s IP address. Block listing spoofed IP addresses might cause a self-inflicted denial-of-service of legitimate traffic.

You can minimize these risks with good planning. Identify and evaluate the threats carefully before you configure block listing.