Configure automatic block listing of traffic

Engines trigger automatic block listing based on the Block list Scope options in the Exceptions in the Inspection Policy.

Engines add entries directly to their own block lists for traffic they inspect. Engines can also send block listing requests to other NGFW Engines. In this case, the engine sends the block listing request to the Log Server. The Log Server relays the block listing request to the Management Server. The Management Server relays the block listing request to the other NGFW Engines that enforce the block listing.

Engines generate block list entries based on the patterns they detect in the traffic flow. The block list entry that is sent identifies traffic based on IP addresses and optionally the Protocol and port. The block list entries can include whole networks, even if the events that trigger them are related to a single source or destination IP address.

Automatic block list entries are created using the detected event’s source and destination IP addresses, and optionally the TCP or UDP ports. If the event does not contain this information, a block list entry cannot be created. Netmasks can optionally be used to block list the detected event’s network.

When the block list entry is created, the actions taken depend on the options you set. You can define Block listing scope options for any type of Exception, including rules that use Correlation Situations.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. In the navigation pane on the left, browse to Policies > Inspection Policies.
  3. Right-click the Inspection Policy, then select Edit Inspection Policy.
  4. On the Exceptions tab, add a rule, then specify the matching criteria for traffic that you want to block list.
  5. Right-click the Action cell, then select Terminate.
  6. Right-click the Action cell, then select Edit Options.
  7. On the Block list Scope tab of the Select Rule Action Options dialog box, select Override collected values set with “Continue” rules. .
  8. Select the type of Block list entry to create:
    • To create a Block list entry that terminates only the current connection using the default options, select Terminate the Single Connection, then click OK.
    • To block the traffic for defined duration and configure the settings, select Block Traffic Between Endpoints.
  9. In the Block list Executors list, select the engines where the block list entry is sent, then click Add.
  10. (Optional) To include the engine that detects the situation in the list of block list executors, select Include the Original Observer in the List of Executors.
  11. Click OK.
  12. Click Save and Install.