Block listing traffic and how it works
Block lists contain entries for blocking traffic temporarily based on traffic patterns that the engines detect or on administrator commands.
- Without editing and installing policies (manual block listing only)
- Based on events detected by engines
- Based on correlation of detected events
- On a different engine than the one that detects an event
- On multiple engines with a single administrator command or a single detected event
Block listing makes it possible to block unwanted network traffic for a specified time. Engines can add entries to their own block lists based on events in the traffic they inspect. Secure SD-WAN Engines and Log Servers can also send block list requests to other Secure SD-WAN Engines. You can also block list IP addresses manually.
Example
A rule in the Inspection Policy detects a serious attack against a single host in your internal network. You can configure the rule to trigger automatic block listing of connections from that host to any other host in your internal networks.- Layer 2 Engines can only block list IPv4 traffic.
- Engines and Layer 2 Engines do not enforce the block list by default. To enforce the block list, you must define the points at which the block list is checked in the Access rules.
- If a connection is allowed by a rule placed above the block list rule, the connection is allowed regardless of the block list entries.
Automatic block listing can have unintended consequences that could disrupt business-critical traffic. Use automatic block listing with careful consideration. The following two categories represent the typical risks associated with block listing:
Risk | Explanation |
---|---|
Block listing legitimate connections (false positive) | If the defined pattern for detecting malicious traffic is inaccurate, legitimate traffic might sometimes be block listed. Block listing legitimate connections causes service downtime for hosts that are incorrectly identified as a source of malicious traffic. |
Causing self-inflicted denial-of-service (DoS) | When an attacker uses spoofed IP addresses, a different (legitimate) IP address might be block listed instead of the attacker’s IP address. Block listing spoofed IP addresses might cause a self-inflicted denial-of-service of legitimate traffic. |
You can minimize these risks with good planning. Identify and evaluate the threats carefully before you configure block listing.