Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Archive > 2017October27 - Deletes > Using the Block IP Active Response

Using the Block IP Active Response

Created by Caroline Juszczak, last modified by Kevin.Swinson on Oct 27, 2017

Views: 34 Votes: 0 Revisions: 5

Use the Block IP active response to block a port scanner or block an IP address at your firewall using your LEM manager. You can automate this response in a LEM rule or execute the response manually from the Respond menu in the LEM console.


You can use the Block IP active response with the following firewalls and modules.

  • Cisco PIX
  • Cisco ASA
  • Cisco Firewall Services Module
  • Fortigate Firewalls
  • Juniper NetScreen
  • Check Point OPSEC
  • SonicWALL
  • WatchGuard Firebox (including Vclass)

Configure a firewall active response connector

  1. Open your LEM console and log in to your LEM manager as an administrator.
  2. Click Manage > Appliances.
  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/050/Button-Gear_14x11.png next to your LEM manager and select Connectors.
  4. Select Firewalls from the Category list.
  5. Enter Active Response in the Refine Results search box.
  6. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/050/Button-Gear_14x11.png next to your selected firewall connector and select New.
  7. Complete the Connector Configuration form according to your firewall's specifications.

    Below is the form for the Cisco PIx Active Response connector.


    Most active response connector forms require your firewall address and credentials. However, some connectors require additional information. For assistance, see the SolarWinds Success Center or contact Customer Support for assistance.

  8. Click Save.
  9. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/050/Button-Gear_14x11.png next to the new connector and select Start.
  10. Click Close to exit the Connector Configuration window.

Configure an active response rule for an IP address

The Block IP active response creates a rule on your firewall to block the IP addresses you specify. To allow an IP address through your firewall, delete or modify the rule on your firewall as appropriate.

  1. Identify the data types to trigger your new rule.

    For research, you can search nDepth or view the incoming data received in the Monitor view grid.

  2. Click Build > Rules.
  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/050/Button-Plus-Black_14x13.png in the Rules toolbar to create a new rule.
  4. Enter a rule name in the Name field.
  5. Click the Events tab and drag your desired fields into the Correlations box.
  6. Click the Actions tab and drag Block IP to the Actions box.
  7. Enter the IP address you want to block, and then click Save.
  8. Click Activate Rules.
Last modified