topic Vulnerability block more than 3600 seconds. in Advanced Threat Prevention Discussions

Vulnerability block more than 3600 seconds.

IbestSec — Tue, 08 Dec 2020 03:12:00 GMT

Hello there,

We have a constant brute force attempt on port 25 of our email server. We put the vulnerability profile to block these attacks and consequently block the ip for 3600 seconds, however in some cases this ip will try again immediately after the maximum blocking time. Is there any way to increase this type of attack for 1 day of blocking, or is the only solution a fixed rule to specifically block these insistent ips?

Re: Vulnerability block more than 3600 seconds.

mivaldi — Thu, 24 Dec 2020 22:31:25 GMT

You can time-tag the source ip using a log forwarding profile built-in action.

Once the source is tagged, create an Address Group (Dynamic) (DAG) and set it to match the created tag.

You will then configure a Security Policy that will precede the current one being matched where the source is the DAG, and set the rule to Deny. The sources will remain tagged for the time lapse configured in the Log Forwarding profile built-in action, and after the time expires, they will be removed from the tag, therefore being matched again by the currently matched rule.

If you need instructions, I recently wrote an article on doing something similar to inhibit email alerts (retrigger timer). The article is not yet public because it is undergoing a revision process. If you need a copy please open a support case and ask for the case to be assigned to me. You can reference this post in the case.

Re: Vulnerability block more than 3600 seconds.

zellahoran — Thu, 28 Jan 2021 03:46:08 GMT

@mivaldi wrote:
You can time-tag the source ip using a log forwarding profile built-in action.

Once the source is tagged, create an Address Group (Dynamic) (DAG) and set it to match the created tag.

You will then configure a Security Policy that will precede the current one being matched where the source is the DAG, and set the rule to Deny. The sources will remain tagged for the time lapse configured in the Log Forwarding profile built-in action, and after the time expires, they will be removed from the tag, therefore being matched again by the currently matched rule.

If you need instructions, I recently wrote an article on doing something similar to inhibit email alerts (retrigger timer). The article is not yet public because it is undergoing a revision process. If you need a copy please open a support case and ask for the case to be assigned to me. You can reference this post in the case.

I did everything, thanks for help.