Add persistency for banned IP list 7.2.1
The banned-ip-persistency
option configures whether the banned IP list persists through a power cycle.
config firewall global set banned-ip-persistency {disabled | permanent-only | all} end
banned-ip-persistency {disabled | permanent-only | all} |
Set the persistency of banned IPs across power cycling:
|
The banned IP list is created from quarantining. For example, when quarantining is enabled for IPS, application control, and DDoS. Permanent quarantining can be added manually using diagnose user banned-ip add src4
.
The diagnose user quarantine <parameter>
command has changed to diagnose user banned-ip <parameter>
.
Example 1: keep all banned IPs across power cycling
When banned-ip-persistency
is set to all
, all the banned IPs are saved after a reboot. In this example, an application control security profile with quarantining is already configured. After traffic is generated that triggers the quarantine rule, a quarantine list is generated.
To view the list of banned IPs:
# diagnose user banned-ip list src-ip-addr created expires cause 10.1.100.12 Tue Jul 5 18:01:05 2022 Tue Jul 5 18:21:05 2022 APP
After a reboot, the banned IP list is the same:
# diagnose user banned-ip list src-ip-addr created expires cause 10.1.100.12 Tue Jul 5 18:01:05 2022 Tue Jul 5 18:21:05 2022 APP
Example 2: keep only permanent banned IPs across power cycling
When banned-ip-persistency
is set to permanent-only
, only banned IPs with an indefinite expiry time are saved after a reboot. The permanent IP ban was already configured for 10.1.100.11 using diagnose user banned-ip add src4 10.1.100.11 0 ips
.
To view the list of banned IPs:
# diagnose user banned-ip list src-ip-addr created expires cause 10.1.100.12 Tue Jul 5 18:01:05 2022 Tue Jul 5 18:21:05 2022 APP 10.1.100.11 Tue Jul 5 18:06:35 2022 indefinite IPS
After a reboot, only 10.1.100.11 remains in the banned IP list:
# diagnose user banned-ip list src-ip-addr created expires cause 10.1.100.11 Tue Jul 5 18:06:35 2022 indefinite IPS