Unable to remove IP after accessing a port on the default blocked ports list - Cloud Managed
We have a Watchguard T25 managed via Watchguard cloud and inadvertently, when performing a test, made an attempt to connect to the watchguard on Port 8000 - which is one of the default blocked ports. Doing this triggers our WAN IP to be blocked for a (random?) period of time I understand this is normally 20 minutes on a locally managed firebox but it looks like it might be closer to 4 hours on a cloud managed firebox.
Also on a locally managed firebox there is a method to remove the WAN IP from the ban, there doesn't appear to be anyway in a cloud managed firebox to remove the blocked IP.
Is there any reason the timing on this is different from a locally managed firebox?
Is there any method to remove the IP immediately?
Any feedback is appreciated.
Comments
Hi @SamSpronk
In order to remove them from a cloud managed device, you'll need to wait for it to expire, or reboot the firewall. The timer is 20 minutes by default for cloud managed devices.
-James Carson
WatchGuard Customer Support
Hi James
Thanks for responding. We will give it another more refined test, but we were locked out for a lot longer than 20 minutes, let me repeat the test over the next week or so. Is there any plan to be able to remove an IP that has been blocked? If it is only 20 minutes - probably not as big a deal but if it is closer to 4 hours that becomes frustrating with no way to fix it ourselves.
Hi @james.carson
I set up a test where I created a constant ping to the WAN IP of our Watchguard Firebox. I then attempted to connect on port 7001, which is blocked. As expected, the ping started timing out once the block was triggered.
However, it has now been over an hour, and I’m still unable to get a ping response from the Watchguard — well beyond the documented 20-minute block period.
How can we resolve this so that the block duration is correctly limited to 20 minutes? And preferably a way to manually remove an IP from the block list if needed? Ideally, having both resolved would be great
Hi @SamSpronk If you're running a continuous ping, the timer will reset every time it is triggered. This is the same behavior for local and cloud managed devices.
-James Carson
WatchGuard Customer Support
Hi @james.carson Thanks for that, so even though something like a ping isn’t considered block-worthy, any activity from that IP still resets the 20-minute timer once it’s on the list?
In this particular case, it’s easy enough for us to stop that activity, but in the real world, I can definitely see situations where that might not be possible. That’s where having the ability to manually remove entries would be super helpful.
I’ll run another test as well.
Hi @SamSpronk
It's something they're working on in the cloud managed interface. There's multiple places blocked sites can come from for cloud managed firewalls (including the ability to add IPs via the WatchGuard Cloud API.)
-James Carson
WatchGuard Customer Support