Overview of Blacklist
The blacklist is a typical measure for security defense. The FW discards all packets that match the blacklist. The blacklist is more effective in filtering packets from or to specific users or IP addresses when compared with security policies.
Types of Blacklist Entries
You can add users, source IP addresses, and destination IP addresses to the blacklist of the FW, as described in Table 1.
Type |
Description |
|---|---|
User |
After a user is added to the blacklist, the FW discards all packets from or to the user. |
Source IP address |
After a source IP address is added to the blacklist, the FW discards all packets from this IP address. When you blacklist a source IP address, you can also specify a protocol or specify a protocol and a source port. This configuration allows the FW to filter out the packets carrying the protocol or carrying the protocol and source port number but permits other packets from the same IP address. |
Destination IP address |
After a destination IP address is added to the blacklist, the FW discards all packets destined for this IP address. When you blacklist a destination IP address, you can also specify a protocol or specify a protocol and a destination port. This configuration allows the FW to filter out the packets carrying the protocol or carrying the protocol and destination port number but permits other packets destined for the same IP address. |
Adding and Deleting Blacklist Entries
You can manually add entries to the blacklist or allow the FW to generate certain entries. Table 2 describes this process.
Method |
Blacklist Entry Type |
Timeout Duration |
|
|---|---|---|---|
Manual addition |
You can manually add an entry to the blacklist. |
Users, source IP addresses, and destination IP addresses |
You must specify the attributes for each entry to be added. |
Dynamic generation |
If the FW detects that an IP address is performing IP sweep or port scanning because it frequently sends packets to different IP addresses or ports, the IP address is blacklisted. |
Source IP addresses |
The default value is 20 minutes and can not be changed. |
If the FW detects that an IP address intrudes on the intranet, the IP address is automatically blacklisted. |
Source and destination IP addresses |
The default value is 5 minutes and can be changed. |
|
Antivirus blacklist: If antivirus detects that a flow is infected with a virus, the source IP address of the flow is automatically blacklisted. |
Source IP addresses |
The default value is 5 minutes and can be changed. |
|
Correlation detection blacklist: If a packet matching a security policy is blocked after being sent to the Intelligent Awareness Engine for IPS correlation detection (matching the user-defined IPS signature), it is considered an intrusion. If the number of intrusions from the same source or destination IP address reaches a threshold in a certain period, packets originating from the IP address will be blocked and the IP address be blacklisted. |
Source and destination IP addresses |
The default value is 5 minutes and can be changed. |
|
IDS blacklist entries delivered by the IDS device which interworks with the device. |
Source or destination IP addresses |
The aging time is included in the IDS blacklist entry delivered by the IDS device. If the aging time delivered is less than or equal to 10 minutes, the default aging time on the FW is the aging time delivered. If the aging time delivered is greater than 10 minutes, the default aging time on the FW is 10 minutes. The default value cannot be changed. |
|
HiSec Insight interworking blacklist: The FW interworks with the HiSec Insight. After detecting a malicious session, the HiSec Insight delivers a blocking command to the FW. Then, the FW adds the destination IP address of the malicious session in the command to the blacklist. |
Source or destination IP addresses |
The default value is 30 minutes. The value can be manually changed. |
|
Blacklist entries created in various ways have different causes. For example, the cause of manually created entries is Manual; the cause of dynamically created entries can be Login-failure, IP-address-sweep, or Port-scan. After a dynamically created blacklist entry is edited, the cause automatically switches to Manual.
If the same blacklist entry is repeatedly generated, the latest entry overwrites the previously generated one.
Blacklist entries can be manually or dynamically deleted.
You can specify the timeout period for manually or dynamically added blacklist entries. These entries are automatically deleted when the timeout period expires and the packet filtering effect is lost. For manually added blacklist entries, the timeout period can be unlimited. Therefore, the blacklist entries are permanently valid.
Aside from dynamic deletion, you can also manually delete certain blacklist entries.