Manually Blocking and Removing a Block

Let's first look at manually blocking a specific IP address of a host or a network. Using the Cisco Secure Policy Manager, we need to perform the following steps:

1. Select Tools | View Sensor Events | Database to open the Event Viewer – Database Events.

2. Choose View | Connection Status Pane for an easier window format to view.

3. Pick an alarm with the source IP address of the target to be blocked.

4. From the menu bar, select Actions | Block | [Host… or Network…].

Shortly, a Shunning Hosts window will appear with the current status of this operation and if the block was successfully executed, a "Success" message will appear. This manually configured IP Block will have a default Blocking Duration of 1440 minutes, or 24 hours.

Now that we have covered how to invoke blocking manually on a host or network, let's take a look at how to remove a block from a host or network. This may be a desirable option if a critical host was not identified during the planning process of implementation, a false positive wasn't really an attack, or if a vulnerability was mitigated and the block is not needed anymore.

To remove a block, open the CSPM Event Viewer—do this the same way as when adding a block. Select the sensor which will allow us to view the block. Choose the block with the source IP address of the system or network we want to free up and select Actions | Block | [Host… or Network…]. As when implementing a manual block, a window will pop up with the current status information and a "Success" message will appear if the operation succeeded.