topic Network blocking and detecting capabilities in case of similar abnormal symptoms traffic in General Topics

Network blocking and detecting capabilities in case of similar abnormal symptoms traffic

JoHyeonJae — Tue, 09 May 2023 02:48:02 GMT

Hello all,

Hope you are doing well.

Our customer who is using PA3220 experienced external public IP blockage due to abnormal symptoms traffic.

Upon investigation, it was found that a test Linux server installed internally attempted SSH brute force attacks against an unspecified number of external public IPs.

We would like to know if the PaloAlto PA device has any network blocking and detecting capabilities in case of similar abnormal symptoms traffic.

Although it seems that PaloAlto can sufficiently detect abnormal traffic if one client attempts to SSH connect (attack) to an unspecified number of others, we cannot find any logs or alarms related to the symptoms.

Thanks,

Re: Network blocking and detecting capabilities in case of similar abnormal symptoms traffic

kiwi — Tue, 09 May 2023 08:44:04 GMT

Hi @JoHyeonJae ,

To enforce protection against brute force attacks make sure to attach the Vulnerability Protection profile to a Security policy rule.

See Set Up Antivirus, Anti-Spyware, and Vulnerability Protection

Install content updates that include new signatures to protect against emerging threats. See Install Content and Software Updates.

You can have all the security profiles in the world... if you don't apply them to your policy they won't protect you (also make sure that you log appropriately).

Kind regards,

-Kiwi.

RE: Network blocking and detecting capabilities in case of similar abnormal symptoms traffic

JoHyeonJae — Wed, 10 May 2023 00:45:44 GMT

@kiwi
Thank you for your response. The customer is already using the Vulnerability Protection Profile. In this case, could you please advise what actions need to be taken for blocking?

RE: Network blocking and detecting capabilities in case of similar abnormal symptoms traffic

JoHyeonJae — Wed, 10 May 2023 02:14:41 GMT

@kiwi

I have a few questions while setting up the Vulnerability Protection Rule.

What does the Duration value mean in the Vulnerability Protection Rule, and what criteria are used to detect and block/detect abnormal traffic?

If the Duration is set to 3600, does the PA device analyze all traffic generated by the Vulnerability Protection Profile during the one-hour period and block the Source IP suspected of brute-force attacks?

Can you explain what criteria the PA device uses to identify traffic suspected of brute-force attacks?
Thanks,