Hi guys first post here!
A filter was created to BlackHole an IP when an http get to a specific url was made.
The filter syntax is below.
request_command GET and url "http://xxx.xxx.xxx.xxx/yabadabadoo.asp
This was then referenced by an attack response and was set to blackhole the source IP. I have also made the change to the global blackhole setting to blackhole the source if the attack Ip cannot be determined.
This filter works in the sense that A. I receive an email stating that the url was accessed and also that the IP has been blackholed. However when accessing the link or any content on the server from the blackholed address I am still able to browse content.
The reasoning for creating such a rule is that this specific url would have to be typed by an individual who is either curious or malicious and also this link is not accessible from any link on the website. I know that I can acheive this by removing the link from the site but I would like the firewall to blackhole this for me.
Thanks for any help that can be given.
It sounds like you have configured it properly if the alarm tells you that the ip is blackholed. I would try running the following command to check the blackhole table:
Also, how long did you set it up for the ip to be blackholed?
The BH dump produced the IP and the timeout which is at 600 seconds.
Also this is in reference to an incomming http rule which is redirected to a private ip and nat is set to localhost.
The rule syntax is
Allow Http src any zone external destination xxx.xxx.xxx.xxx zone external nat localhost redirect internalIP(xxx.xxx.xxx.xxx).
Very interesting. If it is in the blackhole table then the firewall should be ignoring all traffic from that IP. It seems like that is not happening. I think it would make sense to contact support and they can setup a remote to try and figure it out.
Meanwhile in the meantime support was able to do a url denial using url filtering. The blackhole issue however is still with support. I will let you now when I have the details.
The update did not work. I did move my firewall to 8.3.1 latest and greatest with the mcafee custom patch made just for me . I will play around with it for a while and see if there is any change. Maybe I have something incorrect.
I will post back and let you guys know.