Blacklisting traffic and how it works

Blacklists contain entries for blocking traffic temporarily based on traffic patterns that the engines detect or on administrator commands.

Blacklisting allows you to temporarily stop traffic:
  • Without editing and installing policies (manual blacklisting only)
  • Based on events detected by engines
  • Based on correlation of detected events
  • On a different engine than the one that detects an event
  • On multiple engines with a single administrator command or a single detected event

Blacklisting makes it possible to block unwanted network traffic for a specified time. Engines can add entries to their own blacklists based on events in the traffic they inspect. NGFW Engines and Log Servers can also send blacklist requests to other NGFW Engines. You can also blacklist IP addresses manually.


A rule in the Inspection Policy detects a serious attack against a single host in your internal network. You can configure the rule to trigger automatic blacklisting of connections from that host to any other host in your internal networks.
Keep these limitations in mind when planning your blacklisting strategy:
  • Layer 2 Firewalls can only blacklist IPv4 traffic.
  • Virtual NGFW Engines cannot send blacklist requests to other Virtual NGFW Engines or to NGFW Engines.
  • Firewalls and Layer 2 Firewalls do not enforce the blacklist by default. To enforce the blacklist, you must define the points at which the blacklist is checked in the Access rules.
  • If a connection is allowed by a rule placed above the blacklist rule, the connection is allowed regardless of the blacklist entries.

Automatic blacklisting can have unintended consequences that could disrupt business-critical traffic. Use automatic blacklisting with careful consideration. The following two categories represent the typical risks associated with blacklisting:

Table 1. Risks of blacklisting
Risk Explanation
Blacklisting legitimate connections (false positive) If the defined pattern for detecting malicious traffic is inaccurate, legitimate traffic might sometimes be blacklisted. Blacklisting legitimate connections causes service downtime for hosts that are incorrectly identified as a source of malicious traffic.
Causing self-inflicted denial-of-service (DoS) When an attacker uses spoofed IP addresses, a different (legitimate) IP address might be blacklisted instead of the attacker’s IP address. Blacklisting spoofed IP addresses might cause a self-inflicted denial-of-service of legitimate traffic.

You can minimize these risks with good planning. Identify and evaluate the threats carefully before you configure blacklisting.