Configure automatic blacklisting of traffic

Engines trigger automatic blacklisting based on the Blacklist Scope options in the Exceptions in the Inspection Policy.

Engines add entries directly to their own blacklists for traffic they inspect. Engines can also send blacklisting requests to other NGFW Engines. In this case, the engine sends the blacklisting request to the Log Server. The Log Server relays the blacklisting request to the Management Server. The Management Server relays the blacklisting request to the other NGFW Engines that enforce the blacklisting.

Engines generate blacklist entries based on the patterns they detect in the traffic flow. The blacklist entry that is sent identifies traffic based on IP addresses and optionally the Protocol and port. The blacklist entries can include whole networks, even if the events that trigger them are related to a single source or destination IP address.

Automatic blacklist entries are created using the detected event’s source and destination IP addresses, and optionally the TCP or UDP ports. If the event does not contain this information, a blacklist entry cannot be created. Netmasks can optionally be used to blacklist the detected event’s network.