Blacklist traffic manually

You can blacklist traffic manually on Firewalls, IPS engines, and Layer 2 Firewalls.

For example, you can temporarily block a suspicious or disruptive source of communications while you conduct further investigations.

There are three ways to create new blacklist entries manually.

Blacklist a connection found in the log data.
Define a new blacklist entry for an NGFW Engine element.
Create new blacklist entries in the Blacklist view, Connections view, Monitoring view, and Logs view.

The blacklist is not necessarily applied to all traffic. The Access rules determine how the blacklist is used.

Note: If a connection is allowed by a rule placed above the blacklist rule in the Access rules, the connection is allowed regardless of the blacklist entries. Check the logs to see which connections are discarded based on blacklisting.

For more details about the product and how to configure features, click Help or press F1.

Steps

Create a new blacklist entry in one of the following ways:
- In the Blacklist view, Connections view, or Logs view — Right-click a row in the table and select New Blacklist Entry or New Entry.
- To create a blacklist entry for a specific NGFW Engine — Right-click the NGFW Engine element in the Connections view, Monitoring view, or Logs view, and select New Blacklist Entry or Blacklist > New Entry.
Select the Duration for how long this entry will be kept.
- If you leave the value as 0, the entry only stops the current connections. Otherwise, the entry is enforced for the specified period of time.
Select the Address to blacklist for Endpoint 1 and Endpoint 2.
(Only if the protocol is TCP or UDP) Select the Port to blacklist for Endpoint 1 and Endpoint 2.
Select the Blacklist Executors that enforce the blacklist entry.
Click OK.
The blacklist entry is sent to the executor and the traffic is blocked.

Blacklist Entry Properties dialog box

Use this dialog box to create a manual blacklist entry.

Option	Definition
Duration	The length of time that the blacklist lasts. If you leave the value as 0, the entry only cuts the current connections. Otherwise, the entry is enforced for the specified period.
Endpoint 1	Address — Select the address and port to blacklist for endpoint 1. Any — Matches any IP address. Predefined — Matches the specific IP address and prefix you enter in the field. For example, the /24 prefix blacklists all addresses in the same C-class network. The default /32 prefix blacklists only the specific IP address you enter. Port — Shows the port range of the endpoint. You can change this value. Ignored — Matches any port. Predefined TCP — Matches the specific source and destination ports that you enter in the fields. Predefined UDP — Matches the specific source and destination ports that you enter in the fields.
Endpoint 2	Address — Select the address and port to blacklist for endpoint 2. Any — Matches any IP address. Predefined — Matches the specific IP address and prefix you enter in the field. For example, the /24 prefix blacklists all addresses in the same C-class network. The default /32 prefix blacklists only the specific IP address you enter. Port — Shows the port range of the endpoint. You can change this value. Ignored — Matches any port. Predefined TCP — Matches the specific source and destination ports that you enter in the fields. Predefined UDP — Matches the specific source and destination ports that you enter in the fields.
Blacklist Executors	Contains the engines that can be added to the Selected Executors list. Select the engines that enforce the blacklist entry.
Search	Opens a search field for the selected element list.
Up (Backspace)	Returns to the previous folder.
New	Opens the associated dialog box to create an element.
Tools	Show Deleted Elements — Shows elements that have been moved to the Trash.
Add	Adds the selected Blacklist Executors to the Selected Executors list.
Remove	Removes the selected Blacklist Executors from the Selected Executors list.
Selected Executors	Shows the Blacklist Executors that you have selected.