https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2627#M1959 <HTML><HEAD></HEAD><BODY><P>Are they embedding the IP address in the TCP option 28 header or HTTP 'x-forwarded-for' header or another header?&nbsp; </P><P></P><P>If they are using&nbsp; the TCP option 28 header, I suggest you contact your local Palo Alto Nwks' SE and submit a feature request.&nbsp; </P><P></P><P>If they are using the HTTP 'x-forwarded-for' header, the PA can log the header so you can correlate the logs to determine the real IP of the intruder.&nbsp; From there, you can write a custom threat signature to match the real IP and block this new custom threat. This is a manual process though.</P></BODY></HTML> Mon, 27 Jan 2014 16:44:53 GMT rmonvon 2014-01-27T16:44:53Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2624#M1956 <HTML><HEAD></HEAD><BODY><P>Is there any function that can makes the PA block the traffic of the real IP instead of CDN IPs?</P><P>We deployed the PA NGFW on the external side of our web server and enabled the Threat Prevention function. Because we are using the CDN, so from the web server, all the source IPs in the traffic are hosted by the CDN service provider.</P><P>So when the PA&nbsp; NGFW blocks&nbsp; the source IP addresses because of the attack behavior, is there any way to block the real IPs of the attackers nor the IPs hosted by the CDN provider?</P><P>Thanks!</P></BODY></HTML> Sun, 26 Jan 2014 04:55:47 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2624#M1956 SteveY 2014-01-26T04:55:47Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2625#M1957 <HTML><HEAD></HEAD><BODY><P>Hi...Do you know if the CDN provider is passing the real IP address in any way to your web server such that the PA can see it?</P></BODY></HTML> Mon, 27 Jan 2014 15:34:15 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2625#M1957 rmonvon 2014-01-27T15:34:15Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2626#M1958 <HTML><HEAD></HEAD><BODY><P>Thanks for reply, rmonvon.</P><P>Yes, we have asked our CDN provider to pass the real IP addresses in the packet header.</P><P>Do you have any idea?<img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Mon, 27 Jan 2014 15:55:12 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2626#M1958 SteveY 2014-01-27T15:55:12Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2627#M1959 <HTML><HEAD></HEAD><BODY><P>Are they embedding the IP address in the TCP option 28 header or HTTP 'x-forwarded-for' header or another header?&nbsp; </P><P></P><P>If they are using&nbsp; the TCP option 28 header, I suggest you contact your local Palo Alto Nwks' SE and submit a feature request.&nbsp; </P><P></P><P>If they are using the HTTP 'x-forwarded-for' header, the PA can log the header so you can correlate the logs to determine the real IP of the intruder.&nbsp; From there, you can write a custom threat signature to match the real IP and block this new custom threat. This is a manual process though.</P></BODY></HTML> Mon, 27 Jan 2014 16:44:53 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2627#M1959 rmonvon 2014-01-27T16:44:53Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2628#M1960 <HTML><HEAD></HEAD><BODY><P>Thanks for your reply.</P><P>They are embedding the IP address in the HTTP 'x-forwarded-for' header.</P><P>Can the blocking function be automatical?</P><P>For example, if the attacker is launching a DOS attack, can PA only block or quarantine the real IP nor the CDN IP?</P></BODY></HTML> Mon, 27 Jan 2014 17:43:38 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2628#M1960 SteveY 2014-01-27T17:43:38Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2629#M1961 <HTML><HEAD></HEAD><BODY><P>For example, if I enable syn flood prevetion, will the PA FW quarantine the real IPs or CDN IP? Thank you!</P><P><IMG alt="1.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/11332_1.png" /></P></BODY></HTML> Mon, 27 Jan 2014 17:58:12 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2629#M1961 SteveY 2014-01-27T17:58:12Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2630#M1962 <HTML><HEAD></HEAD><BODY><P>The default behavior of the PA will take action on the source IP address, and in this case this would be the CDN's IP address.&nbsp;&nbsp; At this time, the PA cannot take action on the <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">IP address in the HTTP 'x-forwarded-for' header.</SPAN>&nbsp; Please contact <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">your local Palo Alto Nwks' SE and submit a feature request.&nbsp; You can turn on logging for<SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"> HTTP 'x-forwarded-for' header:</SPAN></SPAN></P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1128">Enabling support for the X-Forwarded-For HTTP header</A></P></BODY></HTML> Mon, 27 Jan 2014 18:17:22 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-the-real-ips-from-cdn/m-p/2630#M1962 rmonvon 2014-01-27T18:17:22Z