Skip to content

Active Blocked IPs

Active Blocked IPs Overview

The Active Blocked IPs feature in NETALERT is designed to enhance network security by automatically identifying and blocking malicious or unauthorized IP addresses. This functionality helps prevent unauthorized access, mitigate cyber threats, and protect critical infrastructure from attacks DDoS, brute force attempts, and data exfiltration.

To block an IP, navigate to the Traffic module, select the target IP, and add it to the blocked IP list in the Administration module by clicking IP > Block IP.

The following actions are available in this interface:

  • Add – Adds a new IP to the Active Blocked IPs list.
  • Import CSV – Imports a CSV file containing a list of Active Blocked IPs.
  • Export CSV – Exports the current list of Active Blocked IPs to a CSV file.
  • Truncate – Clears the entire list of Active Blocked IPs.
  • Edit – Modifies an existing entry in the Active Blocked IPs list.
  • Delete – Removes an IP from the Active Blocked IPs list.

The IP has been successfully added to the block list, access Admin > Active Blocked IPs. This section provides an overview of all currently blocked IPs, including the block timestamp, reason for blocking, and expiration time (if applicable).

The Active Block IPs list can be used by firewall (for e.g. FortiGate) devices to block traffic from these IP addresses. Therefore, NETALERT has the capability to counteract attacks from detected malicious IPs. This functionality is essential for maintaining network security and protecting sensitive data from unauthorized access. By using this list, network administrators can ensure proactive and effective protection against cyber threats.

Example of Active Block IPs configuration for different firewall solutions

FortiGate

For an example of configuring a blocking rule using a FortiGate firewall, following the steps:

Step 1: Access the list to validate blocked IPs from the NETALERT interface.

Step 2: To add the blocked IP list in FortiGate, navigate to Security Fabric > Fabric Connectors and select Threat Feeds IP Address from the category list.

Step 3: After selecting IP Address, a new window opens where the following parameters must be filled in: Name (e.g., NetAlert70), URI of external resource (e.g., https://192.168.---.---/activeIPBlock), Refresh Rate (e.g., 5).

Step 4: The querying of the list from Step 1 is observed.

Step 5: To create a firewall policy, go to the category Policy & Objects > IPv4 Policy < Create New and fill in the Destination parameter with the Fabric Connector name created in Step 3.

CheckPoint

For an example of configuring a blocking rule using a CheckPoint firewall, following the steps:

Step 1: Access the list to validate blocked IPs from the NETALERT interface.

To follow the steps for configuring a blocking rule, the official documentation of the manufacturer can be consulted: Importing External Custom Intelligence Feeds in SmartConsole

In the Feed URL field, enter the full URL for e.g., https://192.168.---.---/activeIPBlock

Juniper

For an example of configuring a blocking rule using a Juniper firewall, following the steps:

Step 1: Access the list to validate blocked IPs from the NETALERT interface.

To follow the steps for configuring a blocking rule, the official documentation of the manufacturer can be consulted: SecIntel Feeds Configuration