THE INFORMATION IN THIS ARTICLE APPLIES TO:
- EFT, v6.4 and later with DMZ Gateway
SYMPTOM
In the IP Access List in EFT, any "banned" IP addresses beyond the first 1000 are not blocked when DMZ Gateway is used. Those addresses would still pass through to EFT.
WORKAROUND
Update the DMZ Gateway configuration to allow more than 1000 banned IP addresses.
To update the DMZ Gateway configuration
- Open the DMZ Gateway configuration file, <InstallDir>\conf\DMZGatewayServerService.conf in a text editor.
- Add the following as a new line:
wrapper.java.additional.X=-DNetworkAccessPolicyExceptionLimit=Y
Where X is the next incremental value past the highest existing additional property, and Y is the new limit.
Refer to KB article #11270, which describes a similar configuration option, as the model for passing values to the JVM.
MORE INFORMATION
The DMZ Gateway has an upper limit on the size of the banned IP list that defaults to 1000. When using DMZ Gateway, IP address restrictions are applied at the DMZ Gateway, not on EFT. Therefore, when you have more than 1000 blacklisted (or banned) IP addresses, you must update DMZ Gateway properties to allow it.
See also KB article 10877, Adjust IP Access Rule Count Limit and IP Auto Ban List limit.