How does the Block IP active response work for multiple connected firewalls?

When a LEM rule hits the "Block IP" action, it sends a block IP command to every firewall device for which an "Active Response" has been configured under Manage --> Appliances --> Connectors.

curtisi,

Have you tested this in an environment with multiple firewalls? When the support tech was configuring LEM with us he told my colleague that active response actions could only be taken on the firewall that generated the log. It seems silly to me that LEM would not allow you to select multiple firewalls/devices to take action on based on rule criteria. The action listed is just Block IP and there is no documentation that I have been able to find that explains how the active responses work in rules for multiple devices.

That's not true - it's a broadcast to all firewalls with a block IP active response connector enabled/configured.

You could in fact correlate events from a workstation/server and block them on a firewall/router, too.

PS: If you have a case #, we can make sure this makes it back to the support team.

If the Block IP active response sends the command to all connected firewalls then this could lead to undesirable results such and double entries in the firewall that logged the event. This unfortunately will not satisfy what we are trying to accomplish. What I was hoping to be able to do was build a rule and have it perform the Block IP active response on one specific LEM connected firewall, not all of them. If this type of rule is not currently supported, are there plans to enable this selection functionality in a future version of LEM? This functionality seems like a valuable feature to have as it would offer the flexibility and granularity already present in LEM.

It'll only broadcast the command if you've got an active response connector configured, and there might be some nuances to each firewall as to whether that matters - with Cisco IOS we do route to null, with cisco PIX/ASA it's a shun, with checkpoint it's a SAM block with a timeout, with juniper/sonicwall devices (and others I'm forgetting) it's an actual entry in the policies that gets added. It's likely up to each OS as to whether it creates a dupe or not.

I don't know if we have a feature request on thwack for targeting block IP responses to specific firewalls, but it's something I've heard before. Something like the way we do the "Send Popup Message" active response would work well here - if you don't specify a user, it sends to ALL connected/logged in users, but if you specify a user it only sends to that specific user.

The original idea was that if one site detected an attack you could protect all sites from the same attack without having to configure a bunch of block IP actions for all the different possible sites.

It would be nice if it worked the way the "Send Popup Message" active response does. In our current configuration one of our firewalls will automatically block attacker IP addresses but we would like to then update the rest of the firewalls with those blocked addresses. If the block IP command does a blast to all active response connected firewalls this would cause a double entry on the firewall that originally detected the attack so it looks like we will have to handle this another way for now. Thank you for explaining how this works currently.

Or, just don't configure an Active Response for the Firewall that's auto-blocking, but have it log to the LEM so the rules can trigger the BlockIP on all the other firewalls.

I had considered this but I think my superior wanted to be able to have active responses for other things on that firewall.