Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > Block IP Active Response

Block IP Active Response

Created by Interspire Import, last modified by Tim Rush on Apr 27, 2017

Views: 128 Votes: 0 Revisions: 12

Overview

Use the Block IP active response to block an IP address at your firewall using your LEM appliance. This action is useful for blocking port scanners and can be automated in a LEM rule or executed manually from the Respond menu in the LEM Console.

If this is not working, see Additional information below.

Requirements

You can use the Block IP active response with the following firewalls/modules.

  • Cisco PIX
  • Cisco ASA
  • Cisco Firewall Services Module
  • FortiGate
  • Juniper NetScreen
  • Check Point OPSEC
  • SonicWALL
  • WatchGuard Firebox (including Vclass)

Configure the Active Response connector for one of the firewalls listed above on your LEM appliance.

To configure the Active Response connector for your firewall:

  1. Open your LEM console and log in as an administrator.
  2. Click the Manage tab, and then select Appliances.
  3. Click the gear icon to the left of your LEM Manager, and then select Connectors.
  4. Select Firewalls from the Category list, and enter active response in the search box at the top of the Refine Results pane.
  5. Click the gear icon next to the connector for your firewall, and then select New.
  6. Complete the Connector Configuration form according to your firewall's specifications.
    Note: Generally, all you will have to enter is your firewall address and credentials. Some connectors, however, require more information. 
  7. Click Save.
  8. Click the gear icon next to the new connector (denoted by an icon in the Status column), and then select Start.
  9. Click Close to exit the Connector Configuration window.

Additional Information

The Block IP active response creates a rule on your firewall to block the IP addresses you specify. To allow an IP address through your firewall, delete or modify the rule on your firewall as appropriate.

  1. Overview
  2. Requirements
  3. Additional Information


Firewall Vendors have changed  their default level of ciphers allowed to make firewall changes (block IP).
Historically 3DES ciphers were allowed to shun (block) IP addresses, but in March 2017, the minimum default was raised to AES, which broke our active response connector (tool) for all LEM versions up to & including 6.3.1-HF4.
LEM 6.4.0 has the new ciphers.
Any previous version needs to be upgraded to at least 6.3.1 and hotfix-4, before installing buddy-drop-11.

Here is the download:
     http://downloads.solarwinds.com/sola...CUST-29013.zip

Contact Solarwinds Support to have the buddy-drop installed.
 

Last modified
13:02, 27 Apr 2017

Tags

Classifications

Public