Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Blocking malicous IP's


I have identified a few malicious IP's that are constantly hammering our web server. To block them I create an access rule for the outside interface, source ip is the malicious ip, destination is any, service is tcp-udp 1-65535 action is deny. Is this a proper way to block a malicious ip? I have been given an impression that they are more complicated and that it's not done properly.

Hall of Fame Super Blue

Re: Blocking malicous IP's


A simpler access-list would be

source ip / destination any / deny ip

if you use "deny ip" that covers all the tcp/udp ports + ICMP etc.

Bear in mind that is easy to spoof a source IP address so if you are going to block IP addresses be careful that you are sure you want to block them otherwise you could end up denying access to your web server from valid clients.


New Member

Re: Blocking malicous IP's

hmmmm,... I see. I understand. What would the process look like of banning someone then? What I'm going by is when I see xx packets from an IP in the top usage chart, I look that up in the access log and if it looks bad I am now banning the IP by 'deny IP'.

Secondly, do you know how to exclude some IP's from the Top Usage chart? Or do you know how I can view a large usage list? Maybe using the CLI?

CreatePlease to create content