Blocking IP addresses

I need to block some IP addresses, so I created an alias called 'Compromised IOC' with those IP addresses. Then I created a ANY policy that Denies anything from ANY to 'Compromised IOC'. Just want to make sure this is correct. Before I added the policy, I was able to ping one of the IP addresses in 'Compromised IOC IPs', but since adding the policy, I'm not.

When I ping the IP from CMD, and look at the Traffic Monitor, I don't see anything on there, so that means its blocking that IP from my computer, and also its blocking it from accessing the Watchguard WAN interface also right?

Comments

  • Because when I did it the opposite way, Deny 'Compromised IOC IPs' to ANY, I was able to ping one of the IPs.

  • There is the Blocked Sites list.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/stats_blocked_sites_web.html

    As far as your method - what is the goal - to only block access To these IP addrs ?
    If so, then this should work, as long as the ANY policy is at the top of the policies list.

  • Yes, I want to block access to those IP addresses. So since I can't no longer ping those IP from my computer, and I don't see it on the traffic monitor, it looks like its working. But my question is, are those IP addresses blocked from accessing the Watchguard? Is it blocked both ways?

  • However, I would expect to see denied in Traffic Monitor for these blocked accesses, unless you have unselected the "Send log message" option in the Logging section on this policy.

  • I have 'Send log message' selected. But don't see denied in Traffic Monitor when I'm pinging the IP.

  • It looks like the reason I don't see the IP in the Traffic Monitor is because it can't reach it but yeah I would think it will show as denied in Traffic Monitor.

  • No, not blocked both ways since your current policy is only for outgoing packets - the To: field.
    You would need a similar policy From: 'Compromised IOC IPs' to block incoming ones.

    Blocked Sites blocks both incoming & outgoing.

  • It looks like Blocked Sites needs to have an expiration date though. I want to block it indefinitely. So looks like I need to add another policy to deny from 'Compromised IOC IPs' to ANY.

  • "It looks like Blocked Sites needs to have an expiration date though"

    Not true.
    There is no date field when you add an entry on Blocked Sites.

    The Blocked Sites list in FSM shows an entry such as this:
    204.236.167.126 configuration Static Blocked IP NEVER EXPIRE

  • Thanks, I removed both policies, and the Alias I created.
    Added the IPs to Blocked Sites, now when I ping it, I see it in Traffic Monitor.

    I had to add it from the Web UI, because when I tried to add it from FSM, it was asking for expiration.

  • edited March 20

    So it looks like to get the results from Blocked Sites (blocking both ways) I had to add 2 policies in Policy Manager. One for outbound and other for inbound.

  • Correct.

  • @tantony said:
    Thanks, I removed both policies, and the Alias I created.
    Added the IPs to Blocked Sites, now when I ping it, I see it in Traffic Monitor.

    I had to add it from the Web UI, because when I tried to add it from FSM, it was asking for expiration.

    To add a non-expiring entry to Blocked Sites, this is done in Policy Manager (Setup > Default Threat Protection > Blocked Sites).

Sign In to comment.