topic Can the Palo Alto Firewall autoguarantine users based on the number of violations they have made for a particular time? in General Topics

Can the Palo Alto Firewall autoguarantine users based on the number of violations they have made for a particular time?

nikoolayy1 — Wed, 22 Mar 2023 11:08:15 GMT

Hello to All,

Can the Palo Alto Firewall autoguarantine users based on the number of violations they have made for a particular time?

I know that palo alto can add the users or ip addresses to and dynamic group using auto taging with tags (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups ) but I do but when I tried to make a Log Filter for the Log Profile I do not see the exact options as to say if a user does 5 threat violations for 60 seconds then to add the tag that will match the dynamic user group that will be added to the security policy to a blocking rule.

With Cortex XSOAR I know that using the SIEM logs this can be done but I think there is notive firewall function to do this.

https://www.youtube.com/watch?v=X3YLLNv1kpg

Re: Can the Palo Alto Firewall autoguarantine users based on the number of violations they have made for a particular time?

reaper — Thu, 23 Mar 2023 08:34:25 GMT

This may work with profiles that are already time bound like brute-force ((category-of-threatid eq brute-force)), but tracking 'random' threats will require an external SIEM or XSOAR

Re: Can the Palo Alto Firewall autoguarantine users based on the number of violations they have made for a particular time?

nikoolayy1 — Thu, 23 Mar 2023 10:07:38 GMT

For Brute Force protection also a custom combination signature with "number of hits" can do the job by matching the parameters but it seems for violations better use external automation. Still nowadays many users are behind the same IP address, so better do Brute Force Protection on other dedicated WAF devices that fingerprint the source device than using the NGFW firewall for this job.

I am at the moment doing that but without an XSOAR solution as it was not available.

I am trying the splunk SIEM to trigger a bash script when a custom alert based on a user triggering too many violations for 60 seconds https://docs.splunk.com/Documentation/SplunkCloud/latest/Alert/Configuringscriptedalerts that has ansible playbook in it and passing parameters to it as users that need the good tag (to block them) http://api-lab.paloaltonetworks.com/registered-user.html 🙂

Edit:

Now I seem to see that Ansible does not have a module for DUG (dynamic user group) just DAG (dynamic address group), so either the Ansible URI module I will have to use to script it or just the bash script can use curl with a for loop to send the bad users that need to be tagged. Probably no one decided to make Ansible module for DUG which is what it is.

https://ansible-pan.readthedocs.io/en/latest/modules/panos_dag_tags_module.html