https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/238446#M452 <P>Leaving medium to default allows so much bad stuff through.</P><P>I have even low severety set to reset-both with only 3 manual exeptions in there for traffic sourcinf from wan and handful more for internal traffic.</P> Fri, 02 Nov 2018 21:47:03 GMT Raido_Rattameister 2018-11-02T21:47:03Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/235975#M436 <P>Following a sudden spike in SQLMap threats, I was looking at the default action for SQL injection threats and I noticed that it is is only an "alert" which seems odd for that kind of attack.&nbsp; Has anyone looked deeper into this and/or changed the action and is there a reason for this not being a reset/drop action?</P> Thu, 18 Oct 2018 12:09:58 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/235975#M436 djr 2018-10-18T12:09:58Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/236285#M439 <P>Hello,</P><P>While it is by deafult sert to alert, I found its best to block threats by Severity. As you can see by the picture, this Vulnerability Protection Profile, when added to a Policy, will reset the traffic so it cannot cause any damage:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17250i0125B124E1502F54/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span>I hope this makes sense.</P><P>&nbsp;</P><P>Regards,</P> Fri, 19 Oct 2018 20:45:54 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/236285#M439 OtakarKlier 2018-10-19T20:45:54Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/236456#M440 <P>Hi,</P><P>&nbsp;</P><P>We already reset Critical and high, but use the PAN default below that so the difference between your profile and ours is really just that you extend that down to medium.</P><P>&nbsp;</P><P>I see you also use the default action for low and info which is probably for the same reason we&nbsp;do - some of the low and info threats are by default blocked which we found odd.&nbsp; The PAN severity classification seems a bit weird which is why I was asking if anyone knew a reason why SQL injection was only an alert by default - if the detection is robust I would expect this to be a block by default.&nbsp;</P> Mon, 22 Oct 2018 11:16:53 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/236456#M440 djr 2018-10-22T11:16:53Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/236527#M441 <P>Hello,</P><P>I would recommend setting the medium to also reset or block. There are going to be some exceptions, at least there are in my environemtn so I had to create special exception cases for them.</P><P>&nbsp;</P><P>Regards,</P> Mon, 22 Oct 2018 17:04:07 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/236527#M441 OtakarKlier 2018-10-22T17:04:07Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/236641#M442 <P>OK thanks, I will look a bit closer at what other medium level threats we are seeing, with a view to doing that.</P><P>&nbsp;</P><P>Many thanks</P> Tue, 23 Oct 2018 09:47:50 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/236641#M442 djr 2018-10-23T09:47:50Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/238446#M452 <P>Leaving medium to default allows so much bad stuff through.</P><P>I have even low severety set to reset-both with only 3 manual exeptions in there for traffic sourcinf from wan and handful more for internal traffic.</P> Fri, 02 Nov 2018 21:47:03 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/238446#M452 Raido_Rattameister 2018-11-02T21:47:03Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/238564#M454 <P>Thanks, I don't think I will go that far just yet, but have put medium to reset-both&nbsp;for spyware and vulnerabilities.&nbsp;</P> Mon, 05 Nov 2018 09:28:50 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/default-action-for-sql-injection-attacks/m-p/238564#M454 djr 2018-11-05T09:28:50Z