{"id":3017,"date":"2026-03-26T12:37:46","date_gmt":"2026-03-26T12:37:46","guid":{"rendered":"https:\/\/inprotech.es\/?p=3017"},"modified":"2026-03-26T12:37:46","modified_gmt":"2026-03-26T12:37:46","slug":"active-blocking-of-malicious-ips-with-inprotech-guardian","status":"publish","type":"post","link":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/","title":{"rendered":"Active Blocking of Malicious IPs with InproTech Guardian"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">The threat landscape in OT cybersecurity environments is evolving at an increasing pace. Industrial digitalisation, IT\/OT convergence and the need for remote connectivity have significantly expanded the exposure surface of critical infrastructures.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Traditionally, OT networks were designed under principles of strict isolation and segmentation. However, integration with corporate networks, external services, remote suppliers and maintenance platforms has progressively reduced that isolation, broadening the attack vector available to malicious actors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This new scenario poses a significant technical challenge: maintaining the availability, operational continuity and stability requirements inherent to industrial environments, whilst incorporating defence mechanisms capable of responding to increasingly automated and distributed threats.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Traditional monitoring solutions, based exclusively on detection and alerting, prove insufficient against attacks that can escalate within seconds. The ability to automatically contain a threat before it impacts industrial processes becomes a critical requirement.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this context, <\/span><b>InprOTech Guardian<\/b><span style=\"font-weight: 400;\"> introduces a new Active Blocking capability, designed to detect potentially malicious connectivity and execute immediate containment actions through direct integration with firewall infrastructures from multiple vendors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This article details the architecture, operation and technical integration of this capability, as well as its application in OT environments that demand high standards of availability and control.<\/span><\/p>\n\n<p>&nbsp;<\/p>\n<h2><b>Problem Context<\/b><\/h2>\n<h3><b>Controlled exposure of OT services to external networks:<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The evolution of OT environments has made it necessary to expose certain services in a controlled manner towards external networks or the Internet. VPN access, remote administration services, industrial web portals or third-party integrations require publishing entry points protected by perimeter firewalls.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Although these openings are implemented under segmentation and control criteria, their mere existence introduces a constant flow of unsolicited traffic originating from external public IP addresses.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In practice, any service accessible from the Internet becomes a target for:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Automated scans.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Repeated authentication attempts.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Service enumeration.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Automated exploitation attempts.<\/span><\/li>\n<\/ul>\n<h3><b>Automated nature of external malicious traffic:<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">A large proportion of today&#8217;s malicious traffic does not correspond to targeted attacks, but rather to automated processes that traverse complete ranges of public IP addresses in search of exposed services.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">These activities share common characteristics:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Origin in globally distributed public IP addresses.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Constant repetition of connection attempts.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">High frequency within short time windows.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use of previously compromised infrastructures.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Although many of these attempts fail to compromise the system, they generate:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Unnecessary load increase on perimeter devices.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Operational noise in monitoring systems.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Cumulative risk if they coincide with unpatched vulnerabilities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Resource consumption in manual analysis.<\/span><\/li>\n<\/ul>\n<h3><b>Limitations of manual blocking at the perimeter<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">When a public IP address exhibiting malicious behaviour is identified, the standard procedure involves:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Event verification.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Identification of the source IP.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Accessing the firewall.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Manually creating a blocking rule.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Validating the configuration.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">This process presents several limitations:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Dependency on human intervention.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Delay between detection and mitigation.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Difficulty scaling when facing multiple simultaneous IPs.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Potential for configuration errors.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Lack of consistency in applying temporary blocks.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">In environments with continuous Internet exposure, where the volume of automated attempts is high, this approach becomes inefficient.<\/span><\/p>\n<h3><b>The need for automatic containment of malicious public IPs<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Given this scenario, it becomes necessary to incorporate mechanisms that enable:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Automatic identification of public IP addresses exhibiting anomalous or malicious behaviour.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Immediate application of blocking measures at the firewall.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Controlled management of block duration.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Full traceability of all actions taken.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The ability to automate the blocking of external malicious IPs at the perimeter reduces exposure time and optimises operational management, without altering the existing network architecture.<\/span><\/p>\n<h2><b>Active Blocking in Guardian<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">In response to the needs outlined above, Guardian introduces a new active blocking module for malicious IP addresses. This capability allows plant operators to detect, analyse and mitigate access attempts from potentially malicious public IP addresses, significantly reducing incident response times.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Through this mechanism, security teams can act quickly and efficiently, applying blocking measures directly within the network infrastructure to prevent unauthorised access or suspicious behaviour.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To ensure integration across heterogeneous industrial environments, the module has been designed to interoperate with some of the most widely used firewall vendors in the industry, including <\/span><b>Palo Alto Networks, Stormshield, Fortinet, Check Point and OPNsense<\/b><span style=\"font-weight: 400;\">. The latter is worth highlighting \u2014 an open-source firewall and routing platform widely adopted in corporate and industrial environments, listed in the <\/span><b>ICT Security Products and Services Catalogue (CPSTIC)<\/b><span style=\"font-weight: 400;\"> of the <\/span><b>National Cryptologic Centre (CCN)<\/b><span style=\"font-weight: 400;\">. Its inclusion in this catalogue, within the framework of recommendations associated with the <\/span><b>National Security Scheme (ENS)<\/b><span style=\"font-weight: 400;\"> and the CCN-STIC guides, such as <\/span><b>CCN-STIC 105<\/b><span style=\"font-weight: 400;\">, demonstrates its suitability for use in infrastructures requiring high levels of security and regulatory compliance. This recognition reinforces its position within the perimeter security solutions ecosystem and justifies its integration into Guardian.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The system architecture has been conceived to allow straightforward incorporation of new vendors in the future, progressively expanding the catalogue of compatible devices and ensuring Guardian&#8217;s adaptability to different network infrastructures.<\/span><\/p>\n<h3><b>Module Configuration<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The active IP blocking module in <\/span><b>InprOTech Guardian<\/b><span style=\"font-weight: 400;\"> has been designed to offer operators a high degree of flexibility and control, allowing its behaviour to be adapted to the security requirements of each industrial environment.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The system allows the IP reputation check for public addresses to be enabled or disabled. This component is responsible for analysing external IPs detected by Guardian and assessing whether they show signs of malicious or suspicious behaviour based on reputation systems and threat intelligence.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Once this assessment has been carried out, the blocking module determines what action should be taken against those IP addresses. To this end, Guardian offers different operating modes that allow the level of system automation to be adjusted:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Off: <\/b><span style=\"font-weight: 400;\">The system takes no action on the firewall. The blocking rule remains disabled.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Informative: <\/b><span style=\"font-weight: 400;\">Guardian analyses the reputation of detected IPs and provides information to the operator, suggesting possible blocking actions, but without interacting with the firewall.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Manual: <\/b><span style=\"font-weight: 400;\">The system enables the ability to block IP addresses from the Guardian interface, allowing the operator to make the final decision before applying the block on the firewall.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Automatic: <\/b><span style=\"font-weight: 400;\">Guardian applies the block directly on the firewall when an IP address is identified as malicious according to the defined reputation criteria.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">These operating modes allow Guardian to adapt the level of human intervention and automation, facilitating adoption both in environments requiring manual supervision and in infrastructures that need automatic, rapid responses to external threats.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3007 aligncenter\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/1.png\" alt=\"\" width=\"702\" height=\"112\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/1.png 1515w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/1-300x48.png 300w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/1-1024x164.png 1024w\" sizes=\"auto, (max-width: 702px) 100vw, 702px\" \/><\/p>\n<h3><b>Firewall Configuration<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The firewall integration configuration has been designed to be simple and fast, minimising the effort required to deploy the active blocking capability.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To configure a vendor, it is only necessary to register the firewall in Guardian, specifying the corresponding vendor and the required connection parameters (such as host, credentials or API access keys). From this information, Guardian is able to manage communication with the device internally, applying the specific procedure required by each vendor.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3009 aligncenter\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/2.png\" alt=\"\" width=\"700\" height=\"215\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/2.png 1490w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/2-300x92.png 300w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/2-1024x315.png 1024w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">In some cases, depending on the firewall vendor, it may be necessary to configure additional permissions for the user account used by Guardian, ensuring it has the capabilities required to query configurations and apply changes to security policies.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Once the firewall has been configured and the blocking policy defined, Guardian allows operators to block IP addresses quickly and easily directly from the platform. When an IP address is identified as potentially malicious, the system facilitates its immediate blocking on the firewall, significantly reducing response times to potential threats.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-3011 aligncenter\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/3.png\" alt=\"\" width=\"702\" height=\"109\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/3.png 1600w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/3-300x47.png 300w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/3-1024x159.png 1024w\" sizes=\"auto, (max-width: 702px) 100vw, 702px\" \/><\/p>\n<h3><b>Flexibility in Reputation Evaluation<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">In order to adapt to diverse industrial environments and the particularities of each infrastructure, Guardian incorporates flexibility mechanisms in the IP address reputation evaluation process.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In certain scenarios, a public IP address may be flagged as potentially malicious by reputation systems, even though the operator knows with certainty that the address corresponds to a legitimate service or a trusted partner. To address these situations, Guardian allows the configuration of whitelists for both IP addresses and MAC addresses.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3013 aligncenter\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/4.png\" alt=\"\" width=\"701\" height=\"341\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/4.png 1088w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/4-300x146.png 300w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/4-1024x498.png 1024w\" sizes=\"auto, (max-width: 701px) 100vw, 701px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">This capability allows operators to explicitly authorise certain communication sources, ensuring these connections are not automatically blocked by the reputation mechanisms.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this way, Guardian keeps reputation analysis and protection against external threats active, whilst providing operational teams with the control needed to adapt security policies to their operational reality, avoiding unnecessary disruption to legitimate communications.<\/span><\/p>\n<h3><b>Firewall Integration<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">To ensure consistency and facilitate interoperability, <\/span><b>InprOTech Guardian<\/b><span style=\"font-weight: 400;\"> has defined a common integration methodology for all firewall vendors supported by the platform.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This approach means that, regardless of the device used, Guardian follows a consistent operational flow to apply blocking policies and manage malicious IP addresses. This simplifies both implementation and system maintenance, whilst ensuring predictable behaviour across different network infrastructures.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The following is a practical example of this integration, intended to illustrate what actions Guardian performs within a firewall and how the blocking policy is applied. The procedure described is representative and analogous to that used with other compatible vendors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For this example, a Palo Alto Networks virtual firewall deployed via VM-Series will be used. Through this environment, the configuration and block management flow performed by Guardian within the firewall can be observed.<\/span><\/p>\n<h4><b>Initial State<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Once the integration process between <\/span><b>InprOTech Guardian<\/b><span style=\"font-weight: 400;\"> and the firewall is complete, the system automatically prepares the infrastructure needed to manage IP address blocking.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As part of this process, Guardian creates a dedicated filtering rule for blocking malicious IP addresses. This rule is associated with the blocking logic managed by the platform.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">By default, this rule is created in a disabled state, ensuring that the integration does not interfere with the existing security policy until the operator decides to activate the blocking module.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This behaviour allows the environment to be prepared safely, leaving the firewall ready to apply blocks at the moment the capability is enabled from Guardian.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-3015 aligncenter\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/5.png\" alt=\"\" width=\"703\" height=\"145\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/5.png 1351w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/5-300x62.png 300w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/5-1024x211.png 1024w\" sizes=\"auto, (max-width: 703px) 100vw, 703px\" \/><\/p>\n<h4><b>Activating the Blocking Module<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Once the blocking module is enabled in Guardian, whether in Manual or Automatic mode, the system begins interacting directly with the firewall to apply the defined protection policy.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At this point, Guardian automatically activates the filtering rule associated with blocking, allowing the firewall to begin evaluating traffic based on the IP addresses managed by the platform.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It is important to note that Informative mode does not modify the firewall configuration, as its function is solely to provide context and recommendations to the operator without applying any blocking actions.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With the rule activated, the firewall is ready to dynamically apply blocks to IP addresses that Guardian identifies as malicious, either through operator intervention or automatically according to the configured mode.<\/span><\/p>\n<h4><b>IP Blocking<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">As can be observed in the filtering rule configuration, it references an IP address group named <\/span><i><span style=\"font-weight: 400;\">&#8220;guardian_public_ips&#8221;<\/span><\/i><span style=\"font-weight: 400;\">. This group acts as a dynamic container that stores the IP addresses blocked by Guardian.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This approach enables centralised and efficient block management, eliminating the need to constantly modify the firewall policy. The rule simply references this group, whilst Guardian handles updating its contents as needed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Initially, the group is empty. When Guardian identifies and blocks a malicious IP address, the platform automatically adds that IP to the group. Once part of this group, the firewall immediately applies the blocking policy defined by the rule.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Similarly, if a decision is later made to unblock the IP address, Guardian removes it from the group, causing the filtering rule to no longer apply to that address.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This mechanism enables dynamic block management, keeping the firewall policy stable and giving operators control over blocked IP addresses.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3005 aligncenter\" src=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/6.png\" alt=\"\" width=\"702\" height=\"128\" srcset=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/6.png 1581w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/6-300x55.png 300w, https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/6-1024x187.png 1024w\" sizes=\"auto, (max-width: 702px) 100vw, 702px\" \/><\/p>\n<h3><b>Benefits<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">In industrial environments, where system availability and operational continuity are critical factors, the ability to detect and mitigate threats rapidly becomes a key element of any cybersecurity strategy. The malicious IP active blocking module of<\/span><b> InprOTech Guardian<\/b><span style=\"font-weight: 400;\"> has been designed precisely to meet these needs, providing operators with effective tools to protect their network infrastructure against unauthorised access.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The main benefits of this capability include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Reduced incident response time: <\/b><span style=\"font-weight: 400;\">traditionally, managing blocks on firewalls requires a manual process involving threat identification, accessing the security device, modifying the filtering policy and applying the changes. With Guardian, this process is significantly simplified, enabling blocks to be applied immediately from a single platform, reducing the time needed to contain potential threats.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Centralised visibility over external IP addresses interacting with the infrastructure:<\/b><span style=\"font-weight: 400;\"> allowing operators to quickly identify suspicious or potentially malicious behaviour. This visibility supports informed decision-making and contributes to improving the organisation&#8217;s security posture.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Mitigation process automation: <\/b><span style=\"font-weight: 400;\">through the different operating modes \u2014 informative, manual and automatic \u2014 organisations can adapt the level of human intervention to their security policies. This supports everything from highly supervised environments, where every action is validated by an operator, to infrastructures that need to respond automatically to external threats within seconds.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>High operational flexibility: <\/b><span style=\"font-weight: 400;\">through integration with multiple firewall vendors. Many industrial infrastructures use heterogeneous security solutions, so having a platform capable of interacting with different devices simplifies management and unifies incident response.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Modularity and scalability:<\/b><span style=\"font-weight: 400;\"> the design ensures this capability can evolve and adapt to new industry requirements, enabling the incorporation of new firewall vendors and expanding the platform&#8217;s protection capabilities.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Taken together, the active blocking module makes Guardian a tool capable of detecting threats, supporting decision-making and applying protective measures rapidly and effectively, helping industrial organisations to strengthen their infrastructure security without increasing operational complexity.<\/span><\/p>\n<h2><b>Conclusion<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The growing exposure of industrial infrastructures to external networks and connected services has significantly expanded the attack surface of OT systems. In this context, having tools that enable rapid detection, analysis and response to external threats has become a fundamental requirement for ensuring the security and continuity of operations.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The malicious IP active blocking module of<\/span><b> InprOTech Guardian<\/b><span style=\"font-weight: 400;\"> was developed to address this need, providing operators with a straightforward and effective means of identifying suspicious access attempts and applying mitigation measures directly within the network security infrastructure.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Thanks to its modular architecture and ability to integrate with multiple firewall vendors, Guardian enables centralised block management and significantly reduces incident response times, whilst maintaining the flexibility needed to adapt to different industrial environments.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With this new capability, Guardian continues to expand its features as a protection and monitoring platform for industrial environments, helping organisations strengthen their cybersecurity posture without increasing the operational complexity of their systems.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The development of this module also represents a further step in the platform&#8217;s evolution, with the aim of continuing to incorporate new integrations and threat response capabilities, adapting to the security needs of an increasingly connected industrial sector.<\/span><\/p>\n<h2><b>Resources<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">[1] <\/span><a href=\"https:\/\/inprotech.es\/guardian\/\"><span style=\"font-weight: 400;\">Guardian &#8211; InprOTech<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">[2] <\/span><a href=\"https:\/\/docs.paloaltonetworks.com\/ngfw\/api\/getting-started\"><span style=\"font-weight: 400;\">https:\/\/docs.paloaltonetworks.com\/ngfw\/api\/getting-started<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">[3] <\/span><a href=\"https:\/\/sc1.checkpoint.com\/documents\/latest\/APIs\/#introduction~v2.1%20\"><span style=\"font-weight: 400;\">https:\/\/sc1.checkpoint.com\/documents\/latest\/APIs\/#introduction~v2.1%20<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">[4] <\/span><a href=\"https:\/\/docs.fortinet.com\/document\/fortigate\/7.2.0\/secgw-for-mobile-networks-deployment\/238243\/fortios-rest-api\"><span style=\"font-weight: 400;\">https:\/\/docs.fortinet.com\/document\/fortigate\/7.2.0\/secgw-for-mobile-networks-deployment\/238243\/fortios-rest-api<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">[5] <\/span><a href=\"https:\/\/docs.opnsense.org\/development\/api.html\"><span style=\"font-weight: 400;\">https:\/\/docs.opnsense.org\/development\/api.html<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">[6] <\/span><a href=\"https:\/\/documentation.stormshield.eu\/SNS\/v5\/en\/Content\/User_Configuration_Manual_SNS_v5\/REST_API\/REST_API.htm\"><span style=\"font-weight: 400;\">https:\/\/documentation.stormshield.eu\/SNS\/v5\/en\/Content\/User_Configuration_Manual_SNS_v5\/REST_API\/REST_API.htm<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The threat landscape in OT cybersecurity environments is evolving at an increasing pace. Industrial digitalisation, IT\/OT convergence and the need for remote connectivity have significantly expanded the exposure surface of critical infrastructures. Traditionally, OT networks were designed under principles of strict isolation and segmentation. However, integration with corporate networks, external services, remote suppliers and maintenance&#8230;<\/p>\n","protected":false},"author":1,"featured_media":3019,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[49,17],"tags":[],"class_list":["post-3017","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guardian-en","category-techpapers-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Active Blocking of Malicious IPs with InproTech Guardian - InprOTech<\/title>\n<meta name=\"description\" content=\"Discover how InproTech Guardian detects and blocks malicious IPs in real time, reducing MTTR in critical OT environments without altering your network infrastructure.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Active Blocking of Malicious IPs with InproTech Guardian - InprOTech\" \/>\n<meta property=\"og:description\" content=\"Discover how InproTech Guardian detects and blocks malicious IPs in real time, reducing MTTR in critical OT environments without altering your network infrastructure.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/\" \/>\n<meta property=\"og:site_name\" content=\"InprOTech\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-26T12:37:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/59.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/#\\\/schema\\\/person\\\/cb0ae1292b18b48c1e89b0e4e7ef15d9\"},\"headline\":\"Active Blocking of Malicious IPs with InproTech Guardian\",\"datePublished\":\"2026-03-26T12:37:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/\"},\"wordCount\":2411,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/inprotech.es\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/59.jpg\",\"articleSection\":[\"Guardian\",\"Techpapers\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/\",\"url\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/\",\"name\":\"Active Blocking of Malicious IPs with InproTech Guardian - InprOTech\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/inprotech.es\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/59.jpg\",\"datePublished\":\"2026-03-26T12:37:46+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/#\\\/schema\\\/person\\\/cb0ae1292b18b48c1e89b0e4e7ef15d9\"},\"description\":\"Discover how InproTech Guardian detects and blocks malicious IPs in real time, reducing MTTR in critical OT environments without altering your network infrastructure.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/#primaryimage\",\"url\":\"https:\\\/\\\/inprotech.es\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/59.jpg\",\"contentUrl\":\"https:\\\/\\\/inprotech.es\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/59.jpg\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/en\\\/active-blocking-of-malicious-ips-with-inprotech-guardian\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\\\/\\\/inprotech.es\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Active Blocking of Malicious IPs with InproTech Guardian\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/#website\",\"url\":\"https:\\\/\\\/inprotech.es\\\/\",\"name\":\"InprOTech\",\"description\":\"The Cybersecurity Solution for the Industrial Environment\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/inprotech.es\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/inprotech.es\\\/#\\\/schema\\\/person\\\/cb0ae1292b18b48c1e89b0e4e7ef15d9\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/inprotech.es\"],\"url\":\"https:\\\/\\\/inprotech.es\\\/en\\\/author\\\/moon\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Active Blocking of Malicious IPs with InproTech Guardian - InprOTech","description":"Discover how InproTech Guardian detects and blocks malicious IPs in real time, reducing MTTR in critical OT environments without altering your network infrastructure.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/","og_locale":"en_US","og_type":"article","og_title":"Active Blocking of Malicious IPs with InproTech Guardian - InprOTech","og_description":"Discover how InproTech Guardian detects and blocks malicious IPs in real time, reducing MTTR in critical OT environments without altering your network infrastructure.","og_url":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/","og_site_name":"InprOTech","article_published_time":"2026-03-26T12:37:46+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/59.jpg","type":"image\/jpeg"}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/#article","isPartOf":{"@id":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/"},"author":{"name":"admin","@id":"https:\/\/inprotech.es\/#\/schema\/person\/cb0ae1292b18b48c1e89b0e4e7ef15d9"},"headline":"Active Blocking of Malicious IPs with InproTech Guardian","datePublished":"2026-03-26T12:37:46+00:00","mainEntityOfPage":{"@id":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/"},"wordCount":2411,"commentCount":0,"image":{"@id":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/#primaryimage"},"thumbnailUrl":"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/59.jpg","articleSection":["Guardian","Techpapers"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/","url":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/","name":"Active Blocking of Malicious IPs with InproTech Guardian - InprOTech","isPartOf":{"@id":"https:\/\/inprotech.es\/#website"},"primaryImageOfPage":{"@id":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/#primaryimage"},"image":{"@id":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/#primaryimage"},"thumbnailUrl":"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/59.jpg","datePublished":"2026-03-26T12:37:46+00:00","author":{"@id":"https:\/\/inprotech.es\/#\/schema\/person\/cb0ae1292b18b48c1e89b0e4e7ef15d9"},"description":"Discover how InproTech Guardian detects and blocks malicious IPs in real time, reducing MTTR in critical OT environments without altering your network infrastructure.","breadcrumb":{"@id":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/#primaryimage","url":"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/59.jpg","contentUrl":"https:\/\/inprotech.es\/wp-content\/uploads\/2026\/03\/59.jpg","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/inprotech.es\/en\/active-blocking-of-malicious-ips-with-inprotech-guardian\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/inprotech.es\/en\/"},{"@type":"ListItem","position":2,"name":"Active Blocking of Malicious IPs with InproTech Guardian"}]},{"@type":"WebSite","@id":"https:\/\/inprotech.es\/#website","url":"https:\/\/inprotech.es\/","name":"InprOTech","description":"The Cybersecurity Solution for the Industrial Environment","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/inprotech.es\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/inprotech.es\/#\/schema\/person\/cb0ae1292b18b48c1e89b0e4e7ef15d9","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d903daf71b546605502fd9841b9dc598cc8d3a04ee26680ca18eb3633e5209be?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/inprotech.es"],"url":"https:\/\/inprotech.es\/en\/author\/moon\/"}]}},"_links":{"self":[{"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/posts\/3017","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/comments?post=3017"}],"version-history":[{"count":1,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/posts\/3017\/revisions"}],"predecessor-version":[{"id":3023,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/posts\/3017\/revisions\/3023"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/media\/3019"}],"wp:attachment":[{"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/media?parent=3017"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/categories?post=3017"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/inprotech.es\/en\/wp-json\/wp\/v2\/tags?post=3017"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}