https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-blocked-by-palo-alto-is-there-anything-else-to-do/m-p/228366#M383 <P>Hi,</P><P>&nbsp;</P><P>When the Palo Alto blocks a communication that is flags as a threat (ie: SQL Injection, XSS, etc.), should we investigate the target IP to make sure that the threat was blocked? The reason I'm asking is that whenever the Palo Alto blocks an attack from an IP address (Session End Reason is "threat"), if we go in the "Traffic" view, we can see that not all the communications with that offending IP were terminated with a "threat" reason. Some of them are terminated by "tcp-rst-from-client" or "tcp-rst-both". In that case, I'm wondering if part of the attack (or payload) could have gone through to the destination IP before the Palo Alto stopped it. Are these connections expected and there should be nothing to worry about, or should we still investigate?</P><P>&nbsp;</P><P>Thank you.</P> Mon, 27 Aug 2018 14:15:01 GMT yschinck 2018-08-27T14:15:01Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-blocked-by-palo-alto-is-there-anything-else-to-do/m-p/228366#M383 <P>Hi,</P><P>&nbsp;</P><P>When the Palo Alto blocks a communication that is flags as a threat (ie: SQL Injection, XSS, etc.), should we investigate the target IP to make sure that the threat was blocked? The reason I'm asking is that whenever the Palo Alto blocks an attack from an IP address (Session End Reason is "threat"), if we go in the "Traffic" view, we can see that not all the communications with that offending IP were terminated with a "threat" reason. Some of them are terminated by "tcp-rst-from-client" or "tcp-rst-both". In that case, I'm wondering if part of the attack (or payload) could have gone through to the destination IP before the Palo Alto stopped it. Are these connections expected and there should be nothing to worry about, or should we still investigate?</P><P>&nbsp;</P><P>Thank you.</P> Mon, 27 Aug 2018 14:15:01 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-blocked-by-palo-alto-is-there-anything-else-to-do/m-p/228366#M383 yschinck 2018-08-27T14:15:01Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-blocked-by-palo-alto-is-there-anything-else-to-do/m-p/231211#M408 <P>Bump.</P><P>&nbsp;</P><P>Should I just create a ticket and ask that question to the support directly...?</P> Tue, 18 Sep 2018 12:48:43 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-blocked-by-palo-alto-is-there-anything-else-to-do/m-p/231211#M408 yschinck 2018-09-18T12:48:43Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-blocked-by-palo-alto-is-there-anything-else-to-do/m-p/231223#M409 <P>Hello,</P><P>I would investigate, but it doesnt mean that thigns were compromised. It could have just been a scan and some of the traffic was allowed and some got blocked. While not always a good indicator, you have to look at all the traffic holistically, I look at the amount of data transferred, was it a large amount or small.</P><P>&nbsp;</P><P>Hope that helps.</P> Tue, 18 Sep 2018 14:15:08 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threat-blocked-by-palo-alto-is-there-anything-else-to-do/m-p/231223#M409 OtakarKlier 2018-09-18T14:15:08Z