Configure automatic blacklisting of traffic

Engines trigger automatic blacklisting based on the Blacklist Scope options in the Exceptions in the Inspection Policy.

Engines add entries directly to their own blacklists for traffic they inspect. Engines can also send blacklisting requests to other NGFW Engines. In this case, the engine sends the blacklisting request to the Log Server. The Log Server relays the blacklisting request to the Management Server. The Management Server relays the blacklisting request to the other NGFW Engines that enforce the blacklisting.

Engines generate blacklist entries based on the patterns they detect in the traffic flow. The blacklist entry that is sent identifies traffic based on IP addresses and optionally the Protocol and port. The blacklist entries can include whole networks, even if the events that trigger them are related to a single source or destination IP address.

Automatic blacklist entries are created using the detected event’s source and destination IP addresses, and optionally the TCP or UDP ports. If the event does not contain this information, a blacklist entry cannot be created. Netmasks can optionally be used to blacklist the detected event’s network.

When the blacklist entry is created, the actions taken depend on the options you set. You can define Blacklisting scope options for any type of Exception, including rules that use Correlation Situations.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. In the navigation pane on the left, browse to Policies > Inspection Policies.
  3. Right-click the Inspection Policy, then select Edit Inspection Policy.
  4. On the Exceptions tab, add a rule, then specify the matching criteria for traffic that you want to blacklist.
  5. Right-click the Action cell, then select Terminate.
  6. Right-click the Action cell, then select Edit Options.
  7. On the Blacklist Scope tab of the Select Rule Action Options dialog box, select Override collected values set with “Continue” rules. .
  8. Select the type of Blacklist entry to create:
    • To create a Blacklist entry that terminates only the current connection using the default options, select Terminate the Single Connection, then Click OK.
    • To block the traffic for defined duration and configure the settings, select Block Traffic Between Endpoints.
  9. In the Blacklist Executors list, select the engines where the blacklist entry is sent, then click Add.
  10. (Optional) To include the engine that detects the situation in the list of blacklist executors, select Include the Original Observer in the List of Executors.
  11. Click OK.
  12. Click Save and Install.