topic Re: IP blcoking on ip scan in Advanced Threat Prevention Discussions

IP blcoking on ip scan

SShnap — Wed, 14 Feb 2018 22:15:39 GMT

I wonder if there is dynamic blocking IP if on short period of time that IP did ip scan or try the same vulnerability attack on our IP range, becuse the attack was once on each policy rule it doesn't reach the vulnerability protection limit for blocking the IP.

So if the monitor logs show the same IP on diffrerent policy rules in short period it will do IP block for 30/60 min.

maybe I miss something or it is something they can think about on new versions.

Thank you

SShnap

Re: IP blcoking on ip scan

bvandivier — Wed, 14 Feb 2018 22:27:28 GMT

Some Threat IDs such as Brute Force related signatures do block based on time attributes. Multiple examples are listed in the following article.

https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/Brute-Force-Signature-and-Related-Trigger-Conditions/ta-p/52284

Also, the Reconnaisance Protection section of a Zone Protection profile can enforce blocking based on scan activity as can DoS Protection as well. More info can be found here.

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?attachment-id=1085

Re: IP blcoking on ip scan

mivaldi — Wed, 14 Feb 2018 23:08:42 GMT

Depending on how the scan was performed, it could have also triggered Host Sweep, TCP Port Scan or UDP Port Scan Reconnaissance protections in Zone Protection. Check the Threat Logs for any entries related to type (if i remember correctly) 'scan'.

If the activity triggered a Network Flood protection you would find Threat Log entries with log type 'flood'.

Re: IP blcoking on ip scan

SShnap — Wed, 14 Feb 2018 23:09:48 GMT

thank you for the reply

I'm femilier with "Brute Force Signature" but it only block IP when they hit the same policy rule or same destination according to out you configure (10 times for 60 sec).

It's not working when attacker is doing the same attack on IP range so he hits one or twice on each IP and the rule isn't sense that traffic to alert or block.

Re: IP blcoking on ip scan

bvandivier — Thu, 15 Feb 2018 16:04:24 GMT

Understood, in which case Zone Protection and/or DoS Protection would be the appropriate features to leverage.

Re: IP blcoking on ip scan

SShnap — Thu, 15 Feb 2018 16:53:31 GMT

OK I will try to enable the zone protection on the DMZ and track the logs.

I enable flood protection SYN, ICMP, UDP, Other IP, increase the activate threshold so I can get alerting without activating the drop action.

Under Reconnaissance protection I enable all three and set the action to alert.

I also enable the packet based attack protection as best practice followed:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions

hope to see result after tuning.

Thank you all