Can blacklist timeouts (TTL,lifetime) for "Scanner Protection" or "Botnet Blocking" be changed or increased?

Last modified on 8 Sep, 2020. Revision 5
The lifetime for IP-reputation-based blacklistings is hard-coded to 300 seconds. However, when the blacklisting is lifted, the next packet from/to such a host will trigger a new IP reputation lookup and re-block it. The blacklist merely acts as a cache here - having longer blacklist lifetimes affords you no greater security.
Up to date for
Core 12.00.22, 13.00.01
Supported since
Core 12.00.00
Status OK

See also: Threshold Rules

If you want to perform your own rate logic on hosts scanning your networks, please see “Threshold Rules”.

Threshold Rules are the only way to deal with rogue internal hosts attempting to scan your own networks - global IP reputation databases obviously know nothing about your private IP addresses.

And, yes, the blacklisting lifetimes can be configured for these.

Related articles

No related articles found.