Screen OS

As I peruse through logs in my webservers/ftp/and other public facing boxes, I see constant attempted logins (don't we all).   About once a month, I have taken those handful of those addresses and add them to a group I called Intrusion Protection and Intrusion Protection 2.  I maxed out the first with 32 addresses so I moved on to another group.

My problem is for some reason it doesn't like the groups and allows the traffic anyway.   Usually, I am not able to catch someone in the process of hacking, so I assumed it was working.

Here is my (partial)config for the rule and groups.  Can anyone see why it wouldn't work?  If I add the single address as a rule, (even though it's a /24) it denies, but not in the group.  I've check to see if the rule was shadowed, but it is at the top.  Also, usually in the GUI under policy elements you would see "in use" if the element is in a rule and applied.  I don't see that.  Hopefully it's something dumb I'm missing.  thanks in advance.

set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"

set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"

set interface ethernet0/0 ip 206.181.xxx.123/xx
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.1.2.1/24
set interface ethernet0/1 nat

set address "Untrust" "107.191.99.231/32" 107.191.99.231 255.255.255.255 "Hack"
set address "Untrust" "109.64.143.74/32" 109.64.143.74 255.255.255.255
set address "Untrust" "117.131.214.53/32" 117.131.214.53 255.255.255.255 "hack"
set address "Untrust" "121.40.167.158/32" 121.40.167.158 255.255.255.255 "Hack"
set address "Untrust" "122.225.243.194/32" 122.225.243.194 255.255.255.255 "hack"
set address "Untrust" "125.65.165.215/32" 125.65.165.21 255.255.255.255 "Hack"
set address "Untrust" "142.11.250.149/32" 142.11.250.149 255.255.255.255
set address "Untrust" "144.0.0.35/24" 144.0.0.35 255.255.255.0 "Hack"
set address "Untrust" "172.245.109.242/32" 172.245.109.242 255.255.255.255 "Hack"
set address "Untrust" "173.13.31.229/32" 173.13.31.229 255.255.255.255 "Hack"
set address "Untrust" "180.179.207.134" 180.179.207.134 255.255.255.255 "spam"
set address "Untrust" "182.171.246.59/32" 182.171.246.59 255.255.255.255 "hack"
set address "Untrust" "183.147.206.234/32" 183.147.206.234 255.255.255.255
set address "Untrust" "184.105.247.251/32" 184.105.247.251 255.255.255.255 "Hack"
set address "Untrust" "184.107.57.200/32" 184.107.57.200 255.255.255.255
set address "Untrust" "188.40.84.70/32" 188.40.84.70 255.255.255.255
set address "Untrust" "192.114.71.13" 192.114.71.13 255.255.255.255 "Hack"
set address "Untrust" "192.246.130.102/32" 192.246.130.102 255.255.255.255
set address "Untrust" "192.246.132.102/32" 192.246.132.102 255.255.255.255
set address "Untrust" "194.250.92.54/24" 194.250.92.54 255.255.255.0 "spam"
set address "Untrust" "199.103.62.185/32" 199.103.62.185 255.255.255.255 "hack"
set address "Untrust" "199.204.243.108/32" 199.204.243.108 255.255.255.255 "Hack"
set address "Untrust" "200.112.157.60/32" 200.112.157.60 255.255.255.255 "Hack"
set address "Untrust" "200.123.47.98/32" 200.123.47.98 255.255.255.255
set address "Untrust" "200.76.60.143/32" 200.76.60.143 255.255.255.255 "hack"
set address "Untrust" "203.157.232.3/32" 203.157.232.3 255.255.255.255 "Hack"
set address "Untrust" "206.169.168.178/32" 206.169.168.178 255.255.255.255
set address "Untrust" "207.226.141.42" 207.226.141.42 255.255.255.255 "Scan"
set address "Untrust" "207.226.141.42/32" 207.226.141.42 255.255.255.255 "hack"
set address "Untrust" "208.71.174.46/32" 208.71.174.46 255.255.255.255 "spam"
set address "Untrust" "209.12.107.2/32" 209.12.107.2 255.255.255.255
set address "Untrust" "210.77.64.228/32" 210.77.64.228 255.255.255.255 "Hack"
set address "Untrust" "216.218.206.67/32" 216.218.206.67 255.255.255.255 "Hack"
set address "Untrust" "217.37.170.113" 217.37.170.113 255.255.255.255 "spam"
set address "Untrust" "219.151.12.3/32" 219.151.12.3 255.255.255.255 "hack"
set address "Untrust" "24.217.91.115/32" 24.217.91.115 255.255.255.255 "Hack"
set address "Untrust" "27.38.41.129/32" 27.38.41.129 255.255.255.255 "spam"
set address "Untrust" "27.38.41.92" 27.38.41.92 255.255.255.255 "Spam"
set address "Untrust" "42.62.18.223/32" 42.62.18.223 255.255.255.255 "scan"
set address "Untrust" "43.229.52.0/24" 43.229.52.0 255.255.255.0 "Hack"
set address "Untrust" "43.229.52.135/32" 43.229.52.135 255.255.255.255 "Hack"
set address "Untrust" "43.229.53.1/24" 43.229.53.1 255.255.255.0 "hack"
set address "Untrust" "43.255.190.172/29" 43.255.190.172 255.255.255.248 "Hack"
set address "Untrust" "46.234.125.75/32" 46.234.125.75 255.255.255.255 "hack"
set address "Untrust" "54.148.154.28/32" 54.148.154.28 255.255.255.255 "Hack"
set address "Untrust" "54.218.213.208/32" 54.218.213.208 255.255.255.255 "hack"
set address "Untrust" "54.232.229.64/32" 54.232.229.64 255.255.255.255 "hack"
set address "Untrust" "54.69.48.5/32" 54.69.48.5 255.255.255.255 "Hack"
set address "Untrust" "58.218.213.208/32" 58.218.213.208 255.255.255.255 "hack"
set address "Untrust" "60.173.10.67/32" 60.173.10.67 255.255.255.255 "Hack/Asia"
set address "Untrust" "61.158.163.126/32" 61.158.163.126 255.255.255.255 "email"
set address "Untrust" "61.19.247.226/24" 61.19.247.226 255.255.255.0 "spam"
set address "Untrust" "66.203.50.180/32" 66.203.50.180 255.255.255.255 "Hack"
set address "Untrust" "69.175.26.234/32" 69.175.26.234 255.255.255.255
set address "Untrust" "69.28.82.191/32" 69.28.82.191 255.255.255.255 "Hack"
set address "Untrust" "71.164.218.63/32" 71.164.218.63 255.255.255.255 "Hack"
set address "Untrust" "71.63.64.8" 71.63.64.8 255.255.255.255 "Hack"
set address "Untrust" "80.14.52.162/32" 80.14.52.162 255.255.255.255
set address "Untrust" "80.82.78.2/32" 80.82.78.2 255.255.255.255 "Hack"
set address "Untrust" "82.80.234.142" 82.80.234.142 255.255.255.255 "Hack"
set address "Untrust" "82.80.244.57" 82.80.244.57 255.255.255.255 "Hack"
set address "Untrust" "82.80.249.164" 82.80.249.164 255.255.255.255 "Hack"
set address "Untrust" "85.195.109.195/32" 85.195.109.195 255.255.255.255 "spam"
set address "Untrust" "90.85.99.58/32" 90.85.99.58 255.255.255.255 "Hack"
set address "Untrust" "91.189.77.202/32" 91.189.77.202 255.255.255.255 "hack"
set address "Untrust" "92.234.29.229/32" 92.234.29.229 255.255.255.255
set address "Untrust" "93.174.93.119/32" 93.174.93.119 255.255.255.255 "Hack"
set address "Untrust" "93.174.93.20/32" 93.174.93.20 255.255.255.255 "Hack"
set address "Untrust" "94.102.50.56/32" 94.102.50.56 255.255.255.255 "hack"
set address "Untrust" "95.61.182.248/32" 95.61.182.248 255.255.255.255
set address "Untrust" "97.65.39.27/32" 97.65.39.27 255.255.255.255

set group address "Untrust" "Intrusion Protection" comment "Hack"
set group address "Untrust" "Intrusion Protection" add "107.191.99.231/32"
set group address "Untrust" "Intrusion Protection" add "125.65.165.215/32"
set group address "Untrust" "Intrusion Protection" add "144.0.0.35/24"
set group address "Untrust" "Intrusion Protection" add "172.245.109.242/32"
set group address "Untrust" "Intrusion Protection" add "173.13.31.229/32"
set group address "Untrust" "Intrusion Protection" add "180.179.207.134"
set group address "Untrust" "Intrusion Protection" add "184.105.247.251/32"
set group address "Untrust" "Intrusion Protection" add "192.114.71.13"
set group address "Untrust" "Intrusion Protection" add "194.250.92.54/24"
set group address "Untrust" "Intrusion Protection" add "199.204.243.108/32"
set group address "Untrust" "Intrusion Protection" add "200.112.157.60/32"
set group address "Untrust" "Intrusion Protection" add "208.71.174.46/32"
set group address "Untrust" "Intrusion Protection" add "210.77.64.228/32"
set group address "Untrust" "Intrusion Protection" add "217.37.170.113"
set group address "Untrust" "Intrusion Protection" add "24.217.91.115/32"
set group address "Untrust" "Intrusion Protection" add "27.38.41.92"
set group address "Untrust" "Intrusion Protection" add "54.148.154.28/32"
set group address "Untrust" "Intrusion Protection" add "54.69.48.5/32"
set group address "Untrust" "Intrusion Protection" add "60.173.10.67/32"
set group address "Untrust" "Intrusion Protection" add "66.203.50.180/32"
set group address "Untrust" "Intrusion Protection" add "69.28.82.191/32"
set group address "Untrust" "Intrusion Protection" add "71.164.218.63/32"
set group address "Untrust" "Intrusion Protection" add "71.63.64.8"
set group address "Untrust" "Intrusion Protection" add "82.80.234.142"
set group address "Untrust" "Intrusion Protection" add "82.80.244.57"
set group address "Untrust" "Intrusion Protection" add "82.80.249.164"
set group address "Untrust" "Intrusion Protection" add "85.195.109.195/32"
set group address "Untrust" "Intrusion Protection" add "90.85.99.58/32"
set group address "Untrust" "Intrusion Protection" add "93.174.93.119/32"
set group address "Untrust" "Intrusion Protection" add "93.174.93.20/32"
set group address "Untrust" "Intrusion Protection" add "95.61.182.248/32"
set group address "Untrust" "Intrusion Protection 2" comment "2nd list of 32"
set group address "Untrust" "Intrusion Protection 2" add "117.131.214.53/32"
set group address "Untrust" "Intrusion Protection 2" add "121.40.167.158/32"
set group address "Untrust" "Intrusion Protection 2" add "122.225.243.194/32"
set group address "Untrust" "Intrusion Protection 2" add "182.171.246.59/32"
set group address "Untrust" "Intrusion Protection 2" add "199.103.62.185/32"
set group address "Untrust" "Intrusion Protection 2" add "200.76.60.143/32"
set group address "Untrust" "Intrusion Protection 2" add "203.157.232.3/32"
set group address "Untrust" "Intrusion Protection 2" add "207.226.141.42"
set group address "Untrust" "Intrusion Protection 2" add "216.218.206.67/32"
set group address "Untrust" "Intrusion Protection 2" add "27.38.41.129/32"
set group address "Untrust" "Intrusion Protection 2" add "42.62.18.223/32"
set group address "Untrust" "Intrusion Protection 2" add "43.229.52.0/24"
set group address "Untrust" "Intrusion Protection 2" add "43.229.52.135/32"
set group address "Untrust" "Intrusion Protection 2" add "43.229.53.1/24"
set group address "Untrust" "Intrusion Protection 2" add "43.255.190.172/29"
set group address "Untrust" "Intrusion Protection 2" add "46.234.125.75/32"
set group address "Untrust" "Intrusion Protection 2" add "54.232.229.64/32"
set group address "Untrust" "Intrusion Protection 2" add "58.218.213.208/32"
set group address "Untrust" "Intrusion Protection 2" add "61.158.163.126/32"
set group address "Untrust" "Intrusion Protection 2" add "80.82.78.2/32"
set group address "Untrust" "Intrusion Protection 2" add "91.189.77.202/32"
set group address "Untrust" "Intrusion Protection 2" add "94.102.50.56/32"

set policy id 111 name "Hack-Block" from "Untrust" to "DMZ"  "Intrusion Protection" "Any" "ANY" deny log
set policy id 111
set src-address "Intrusion Protection 2"
set log session-init

Do you happen to have any kind of inbound NAT (MIP/VIP) you are using?  If so, you would need to configure the policy from those groups to the MIP address.

The public facing devices are MIPs.  But wouldn't the "any" cover those?  or do I have to create a "group" with the MIPs and reference them that way?

You would need to specify the MIP address in a policy.  MIP policies are global policies, which is why the traffic is failing to use the zone to zone policy.

I was concentrating on why the source addresses wouldn't take.  I just read about what you said.   Although I can't get the MIPs in a group, I have the "suspect" ips group. 

Just a thought though ....Is there an easier way to go about what I am doing?

You could create a negate MIP policy.  It would pretty much state "any except these."

 thanks for the help.