Hi Ken,
By default, security policies will block the
request. This means that someone intentionally configured a security policy to block the IP for a predetermined amount of time.
This alarm could mean could me a couple different things:
- You site is under attack from a distributed attacker (many IPs)
- The policy is too aggressive
Typically, policies that are configured to block IPs are created for a very specific use case - and typically, an IP is blocked for 3 minutes (short block) or long block (1 hour). However, these short/long conditions are user configurable.
The duration for IP Blocking can be reviewed under:
Main > Policies > Action SetsIn most circumstances, it would be considered unusual to hit 150 IPs, unless:
- The site receives a LOT of traffic
- The long threshold has been increased
- The site is under a distributed attack
So, what does all this mean? Well, there are a few variables at play - in some cases this message can be safely ignored, or in some cases you might want to adjust your policy, or in some cases you may want to adjust your IP blocking threshold, or in some cases you may want to apply additional security policies.
Original Message:
Sent: 06-06-2022 01:41
From: Ken Chau
Subject: More than 150 blocked Ips/Users for Server Group
Dear all,
Do you have any tips/advice for how to handle this alarm "More than 150 blocked Ips/Users for Server Group"?
I tried to manually release some blocked IP addresses, but then I see this alarm again. Is there any thing I need to fine tune?
Thank you.
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Ken Chau
IT Manager
Central Hong Kong
------------------------------