Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Use the Block IP active response in LEM

Use the Block IP active response in LEM

Updated: September 15, 2017

Use the Block IP active response to block an IP address at your firewall using your LEM Manager. This action is useful for blocking port scanners, and can be automated in a LEM rule, or executed manually from the Respond menu in the LEM console.


You can use the Block IP active response with the following firewalls/modules.

  • Cisco PIX
  • Cisco ASA
  • Cisco Firewall Services Module
  • Fortigate Firwalls
  • Juniper NetScreen
  • Check Point OPSEC
  • SonicWALL
  • WatchGuard Firebox (including Vclass)

Configure the Active Response tool for one of the firewalls listed above on your LEM Manager.

To configure the Active Response connector for your firewall:

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click the Manage tab, and then select Appliances.

  3. Click the gear icon to the left of your LEM Manager, and then select Connectors.

  4. Select Firewalls from the Category list, and enter Active Response in the Search box at the top of the Refine Results pane.

  5. Click the gear icon next to the connector for your firewall, and then select New.

  6. Complete the Connector Configuration form according to your firewall's specifications.

  7. Click Save.

  8. Click the gear icon next to the new connector, denoted by an icon in the Status column, and then select Start.

  9. Click Close to exit the Connector Configuration window.

To configure the Rule:

  1. Identify the type of data that would trigger the rule. If needed, perform an nDepth search or view the real-time data being received under Monitor in the Console (filters).
  2. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  3. In the console, choose Build > Rules, click the + button at the top right to create a new rule, and enter a descriptive name.

  4. Locate the event type in the Events tab, the desired fields from the Field tab, and drag to the Correlations box.

  5. Click the Actions tab on the left and drag Block IP to the Actions box under the rule being created.

  6. Enter the IP address to be blocked and save the rule.

  7. Click Activate Rules.

Additional Information

The Block IP active response creates a rule on your firewall to block the IP addresses you specify. To allow an IP address through your firewall, delete or modify the rule on your firewall as appropriate.

Last modified