topic Malicious IP address log sudden increasein traffic in Next-Generation Firewall Discussions

Malicious IP address log sudden increasein traffic

peeryog — Mon, 29 Jan 2024 22:56:32 GMT

Our Malicious IP Traffic Alert typically registers a few dozen hits a day. However over the last weekend this has suddenly increased to a couple of thousand a day. I cannot see anything different apart from the quantity. The IP addresses are the same or from the same subnet. Should I just leave it or what actions would you suggest.

Re: Malicious IP address log sudden increasein traffic

SteveKrall — Tue, 30 Jan 2024 10:31:00 GMT

Are you seeing these hits in a security policy. Probably using the PAN "malicious IPs" dynamic address group? Have you tried configuring a "Zone Protection Profile". The default action is alert but you can configure it to drop or even drop for X minutes. If you are being scanned there is not much you can do other than drop the packets. If this was my network I would look at threat logs and try to determine what resource they are attacking. You probably have something exposed that has a vulnerability.

Re: Malicious IP address log sudden increasein traffic

peeryog — Tue, 30 Jan 2024 14:20:33 GMT

Yes they are set up to be dropped and that is working. It has always worked, its just that there has been a sudden and dramatic increase in these types of alerts so I am wondering if there is something else I should be alert to , as you mentioned, something exposed that has piqued some external interest.