Block listing process
Block listing is executed as defined in the Access rules. Automatic block listing requests are sent as defined in the Inspection Policy.
- 1
- Engines add entries to their own block lists for traffic they inspect.
- There is one block list for each Firewall, Layer 2 Firewall, IPS engine, or Virtual NGFW Engine.
- In engine clusters, there is one block list for each cluster. The nodes in the cluster exchange block list information in their synchronization communications.
- 2
- Log Servers send block listing requests as a response to correlation of detected events. When one NGFW Engine sends a block listing request to another NGFW Engine, the Log Server relays the block listing request to the Management Server.
- 3
- Management Servers relay manual block listing commands from administrators, and block listing requests sent by Log Servers to the NGFW
Engines.
There is no direct communication between different Virtual NGFW Engines or between Virtual NGFW Engines and the Management Server. For this reason, Virtual NGFW Engines cannot send block listing requests to other Virtual NGFW Engines.
- 4
- Engines enforce the entries on their block lists according to their Access rules.
- Each block list entry exists only for a defined duration, after which the entry is removed from the block list, and matching connections are again allowed. The duration of the blocking is defined when the block list entry is created.
- Access rules check connections against the block list. If the IP addresses and ports in one of the block list entries match, the connection is discarded.
- If the connection does not match a block listing Access rule or its related block list entries, the next Access rule in the policy is checked as usual.