topic Re: is it safe to raise "action" to block? in General Topics

is it safe to raise "action" to block?

RonaldGo — Fri, 17 Jun 2011 00:56:00 GMT

i noticed that in some "critical", "high" and "medium" severity vulnerabilities, the default action is just "alert"... especially those brute-force attempts.

at the moment, our system is set for default to take care of these. however, i remember a thread here advising to set the action to "block" for medium severity on the server side vulnerabilities... is it safe to set action to "block" for "critical", "high" and "medium" severity for server side? will this break applications?

thanks!

rgds,

- ron

Re: is it safe to raise "action" to block?

dagibbs — Fri, 17 Jun 2011 05:07:47 GMT

Ronaldgoh wrote:

i noticed that in some "critical", "high" and "medium" severity vulnerabilities, the default action is just "alert"... especially those brute-force attempts.

thanks!

rgds,

- ron

If you raise your level to "block" and the threat is detected the firewall will, as the name suggests, block the traffic from transitting.

Now, if you're 100% sure the threats being detected are valid, then I suggest you might want to block them.

If, however, you're worried about false positives - then don't. The block action may well break soemthing, especially if it triggers a positive threat detection when it's not really a threat.

"Alert" is good if you have time to sit and watch threat logs, and can get on top of reported threats immediately - if you're like msot people and DON'T have this time, then block is a good option. Depends how paranoid you are, and how critical potentially blocking a valid action might be.

Cheers

Re: is it safe to raise "action" to block?

itchelpdesk — Fri, 16 Sep 2011 14:00:39 GMT

If you raise your level to "block" and the threat is detected the firewall will, as the name suggests, block the traffic from transitting.

Now, if you're 100% sure the threats being detected are valid, then I suggest you might want to block them.

If, however, you're worried about false positives - then don't. The block action may well break soemthing, especially if it triggers a positive threat detection when it's not really a threat.

Hi! I just checked and it doesn`t seem to be possible to export this list of vulnerabilities and default actions when you go Objects> Antivirus, Anti-spyware and Vulnerability Protection and then choose New - Custom.

Where is the list available in printable format?

Your quick answer would be much appreciated.

Regards.

Re: is it safe to raise "action" to block?

tettema — Fri, 16 Sep 2011 22:26:18 GMT

Hi,

In 4.0 you can view all the signatures along with their default actions by creating or opening a profile, and clicking "custom". From there you can page through all the signatures and see their default actions. Similarly, in 4.1, you'll have the same capability in the Exceptions tab.

While this can get you the data you're looking for, it is still page-by-page, and not readily printable. However, we do have a feature coming down the pipeline that will allow you to perform a CSV export of all signatures in a given profile. You will be able to use this feature with a wildcare profile to get the report you're looking for.

Re: is it safe to raise "action" to block?

jleung — Sat, 17 Sep 2011 07:41:33 GMT

Hi,

Also, there are some companies which prefer to have very strict security and they will choose block as the action. On the other hand if service availablity is much more important you better choose medium and review specific sig on and off.

Re: is it safe to raise "action" to block?

itchelpdesk — Mon, 19 Sep 2011 08:37:49 GMT

While this can get you the data you're looking for, it is still 
page-by-page, and not readily printable.  However, we do have a feature 
coming down the pipeline that will allow you to perform a CSV export of 
all signatures in a given profile.  You will be able to use this feature 
with a wildcare profile to get the report you're looking for.

Hi!

Can you please advise in which version the feature will be enabled to export the vulnerability information in CSV?

Regards.

Re: is it safe to raise "action" to block?

RonaldGo — Tue, 20 Sep 2011 06:01:25 GMT

I've raised action to block for a lot of the brute-force attacks... and the status on the monitor shows "drop-all-packets"... but the attacks kept continuing... is there a setting to stop the connection for 10 minutes or more?

even though the packets are dropped (according to PA monitor), thje attackers seem to just continue with the brute force attacks on our systems... it's quite irritating and i suspect eventually they might be able to get through...

wish PA can change the way it responds to brute force threats...

- ron

Re: is it safe to raise "action" to block?

jleung — Tue, 20 Sep 2011 06:37:39 GMT

Hi,

Yes for brute force attack we can have time based block ip as action.

Go to object -> Vul profiles -> choose custom and click on the small "pencil" icon of the brute force sig to configure it.