Palo Alto Networks Knowledgebase: How to Unblock Addresses after Block-IP Action is Triggered by Threat Protection

How to Unblock Addresses after Block-IP Action is Triggered by Threat Protection

11061
Created On 02/07/19 23:45 PM - Last Updated 02/07/19 23:46 PM
Policy
Resolution

Overview

In some scenarios where threat protection is used as a defense for brute force attacks involving FTP or SSH, there can be cases where an unwanted IP address is blocked and needs to unblocked immediately.

 

Details

To unblock an IP address, run the following CLI commands:

  • Verify blocked addresses:

> debug dataplane show dos block-table

 

entp:0x80000000efc69c10, bucket:183, entry:0

  Key:

    vsys_id:1, src_zone:3

    ip:x.x.x.x, dst_ip:10.0.0.5

    is_ipv6:0, is_src_dst_both:1

  Value:

   block_until:1989416 (Unblock after:16 sec)

-------------------------------------------------------------------------------

 

  • Remove Specific Address in Block-Table & Leave Other Addresses Blocked

> debug dataplane reset dos zone L3_Untrust block-table source x.x.x.x

 

  • Remove All Addresses in Block-Table:

> debug dataplane reset dos block-table

 

Note: The discarded sessions may need to be cleared. Run the following commands to view and clear discarded sessions.

> show session all filter source x.x.x.x

--------------------------------------------------------------------------------

ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                          Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

45629        ssh            DISCARD FLOW       x.x.x.x[36437]/L3_Untrust/6  (x.x.x.x[36437])

vsys1                                          10.0.0.5[22]/L3_Untrust  (10.0.0.5[22])

 

> clear session id 45629

session 45629 cleared

 

owner: jperry



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpVCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language