Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Additional LEM Configuration and Troubleshooting Information > Using the Block IP Active Response

Using the Block IP Active Response

Created by Caroline Juszczak, last modified by Steve.Hawkins on Sep 13, 2016

Views: 21 Votes: 0 Revisions: 4

Use the Block IP active response to block a port scanner or block an IP address at your firewall using your LEM manager. You can automate this response in a LEM rule or execute the response manually from the Respond menu in the LEM console.


You can use the Block IP active response with the following firewalls and modules.

  • Cisco PIX
  • Cisco ASA
  • Cisco Firewall Services Module
  • Fortigate Firewalls
  • Juniper NetScreen
  • Check Point OPSEC
  • SonicWALL
  • WatchGuard Firebox (including Vclass)

Configure a firewall active response connector

  1. Open your LEM console and log in to your LEM manager as an administrator.
  2. Click Manage > Appliances.
  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/050/Button-Gear_14x11.png next to your LEM manager and select Connectors.
  4. Select Firewalls from the Category list.
  5. Enter Active Response in the Refine Results search box.
  6. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/050/Button-Gear_14x11.png next to your selected firewall connector and select New.
  7. Complete the Connector Configuration form according to your firewall's specifications.

    Below is the form for the Cisco PIx Active Response connector.


    Most active response connector forms require your firewall address and credentials. However, some connectors require additional information. For assistance, see the SolarWinds Success Center or contact Customer Support for assistance.

  8. Click Save.
  9. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/050/Button-Gear_14x11.png next to the new connector and select Start.
  10. Click Close to exit the Connector Configuration window.

Configure an active response rule for an IP address

The Block IP active response creates a rule on your firewall to block the IP addresses you specify. To allow an IP address through your firewall, delete or modify the rule on your firewall as appropriate.

  1. Identify the data types to trigger your new rule.

    For research, you can search nDepth or view the incoming data received in the Monitor view grid.

  2. Click Build > Rules.
  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/050/Button-Plus-Black_14x13.png in the Rules toolbar to create a new rule.
  4. Enter a rule name in the Name field.
  5. Click the Events tab and drag your desired fields into the Correlations box.
  6. Click the Actions tab and drag Block IP to the Actions box.
  7. Enter the IP address you want to block, and then click Save.
  8. Click Activate Rules.
Last modified
15:48, 13 Sep 2016