https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4487#M3324 <HTML><HEAD></HEAD><BODY><P>I agree with the original poster and the feature he is requesting.&nbsp; I'd like to be able to block the IP outright if it hits a certain threshold of threats without pre-determining which threats the attacker will hit (no way to know).</P><P></P><P>is this feature coming? when?</P></BODY></HTML> Thu, 21 Nov 2013 16:00:37 GMT jshdpw 2013-11-21T16:00:37Z https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4483#M3320 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Is there a way to block a specific IP address if you detect multiple threats coming from this IP? For example block an IP address after the detection of 5 threats coming from this IP within 1 minute.</P><P>I know you can block an IP&nbsp; but only as an action after the detection of a specific threat.</P><P></P><P>Kind regards</P></BODY></HTML> Tue, 20 Nov 2012 07:54:08 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4483#M3320 atticabank 2012-11-20T07:54:08Z https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4484#M3321 <HTML><HEAD></HEAD><BODY><P>Yes, you can block a source IP or combo source/dest pair for a time period using custom signatures.&nbsp; Here's an example to block the source IP for threat 10353.&nbsp; Make sure to select 'Combination' for signature type.</P><P></P><P><IMG __jive_id="4759" alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/4759_pastedImage_0.png" style="width: 598px; height: 284px;" /></P><P><IMG __jive_id="4769" alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/4769_pastedImage_1.png" style="width: 603px; height: 249px;" /></P><P></P><P>Thanks.</P></BODY></HTML> Tue, 20 Nov 2012 15:34:07 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4484#M3321 rmonvon 2012-11-20T15:34:07Z https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4485#M3322 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Thanks for the reply. What about if I don't know the ThreatIDs? Lets suppose that the attacker runs a vulnerability scanner. Is it possible for the 'Condition' option to configure something like 'any threatID'?</P><P></P><P>Kind regards</P></BODY></HTML> Wed, 28 Nov 2012 13:55:42 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4485#M3322 atticabank 2012-11-28T13:55:42Z https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4486#M3323 <HTML><HEAD></HEAD><BODY><P>The custom signature method requires a selection of threatIDs.&nbsp; For scanner detection, we can use DoS Protection to detect port scan, sweep, etc and block the source IP.&nbsp; Thanks.</P></BODY></HTML> Fri, 30 Nov 2012 19:11:15 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4486#M3323 rmonvon 2012-11-30T19:11:15Z https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4487#M3324 <HTML><HEAD></HEAD><BODY><P>I agree with the original poster and the feature he is requesting.&nbsp; I'd like to be able to block the IP outright if it hits a certain threshold of threats without pre-determining which threats the attacker will hit (no way to know).</P><P></P><P>is this feature coming? when?</P></BODY></HTML> Thu, 21 Nov 2013 16:00:37 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ip-address/m-p/4487#M3324 jshdpw 2013-11-21T16:00:37Z