cancel
Showing results for 
Search instead for 
Did you mean: 

IP-Intelligence Manual Additions and Bad Actor Additions Not Working

I_R_101_110
Cirrus
Cirrus

Greetings dev central community,

 

 

I have come to impasses in two goals on a 15.1.0.5 VE running in esxi related to IP-Intelligence configuration and I would very much appreciate direction for resolution.

 

 

Impasse 1:

 

Having my manually added IP address be respected by the IP-Intelligence policy. Though pre-existing blacklisted sources are dropped with my configuration, my manually added IP addresses added via are not respected.

 

   I'm adding the IP addresses to my categories configured for drop in my IP-Intelligence policy via Security ›› Network Firewall : IP Intelligence : Blacklist Categories >> Add to Category.

   I've tried with public and private IP's.

   I've tried with pre-existing and custom blacklist categories.

   My license is valid.

   iprep_lookup from the CLI shows no verdict/category for the manually added IP's.

   Where as the GUI "Check Entry" button shows the IP address as present in the blacklisted category.

 

 

Impasse 2:

 

DoS blacklisting via Bad Actor Detection is not updating the blacklist category with the offending IP address.

 

   My tests have been done via Device DoS Protection via ICMPv4 flooding.

   I can see the attack vector being rate limited in DoS logs.

   My settings to add to the bad actor to the blacklist category are set low (Sustained Attack Detection Time of 10 seconds). Even if my test source attacks for a prolonged period of time and is mitigated for this prologed period of time, the address never shows up in the blacklist category specified.

   I have tried custom categories as well as the pre-made denial-of-service category.

   I have selected to advertise externally and I have BGP setup to redistribute kernel. Regardless, the IP address that should be shunned does not show up in the routing table as a local blackholed kernel route nor does it show up in the upstream BGP peer as a blackholed route.

   Manually configured blackholed routes are propogated properly via redistribute kernel.

   GUI "Check Entry" button does not show the IP address as present in the specified bad actor specified category.

   I have tried triggering the attack vector/bad actor protection private IP's as well as spoofed public IP's.

 

 

list security dos device-config dos-device-vector

 

      icmpv4-flood

 

          allow-advertisement enabled

          allow-upstream-scrubbing disabled

          attacked-dst disabled

          auto-blacklisting enabled

          auto-scrubbing disabled

          auto-threshold disabled

          bad-actor enabled

          blacklist-category denial_of_service

          blacklist-detection-seconds 10

          blacklist-duration 14400

          ceiling 200000

          default-internal-rate-limit 100000

          detection-threshold-percent 500

          detection-threshold-pps 10000

          enforce enabled

          floor 100

          multiplier-mitigation-percentage 300

          packet-types none

          per-dst-ip-detection-pps infinite

          per-dst-ip-limit-pps infinite

          per-source-ip-detection-pps 1000

          per-source-ip-limit-pps 10000

          scrubbing-category attacked_ips

          scrubbing-detection-seconds 10

          scrubbing-duration 900

          simulate-auto-threshold disabled

          state mitigate

          suspicious false

          threshold-mode manual-multiplier-mitigation

          valid-domains none

 

 

0691T000009iOYhQAM.png

0 REPLIES 0