topic vulnerability block action in General Topics

vulnerability block action

PanIst — Thu, 18 Sep 2014 13:29:33 GMT

Hi,

when creating a profile choosing block action is seen as "reset-both" on the logs.

is that normal behaviour or not ? Thanks.

Re: vulnerability block action

HULK — Thu, 18 Sep 2014 14:55:59 GMT

Hello Panlst,

This is an expected behavior. In this case, the PAN firewall blocked that Vulnerability and send TCP RST packet to both parties ( Server and client) to close the connection.

Thanks

Re: vulnerability block action

pulukas — Thu, 18 Sep 2014 15:08:18 GMT

PA should probably update the help file for these vulnerability options. The wording is ambiguous and I assume that block was a drop and not a reset action.

Action

Choose the action (Alert, Allow, Default, or Block) to take when the rule is triggered. The Default action is based on the pre-defined action that is part of each signature provided by Palo Alto Networks. To view the default action for a signature, navigate to Objects > Security Profiles > Vulnerability Protection and click Add or select an existing profile. Click the Exceptions tab and then click Show all signatures. A list of all signatures will displayed and you will see an Action column.

Re: vulnerability block action

HULK — Thu, 18 Sep 2014 15:08:40 GMT

Hello Panlst,

As per the screenshots attached in this discussion thread, the firewall identifies the vulnerability with threat ID: 35107

If you check the default action of this Vulnerability signature, is to reset the connection.

Hope this helps.

Thanks

Re: vulnerability block action

pulukas — Thu, 18 Sep 2014 15:21:14 GMT

But PanLst is choosing "Block" not "Default" for the action.

The help file does not specify which action occurs with "Block" drop or reset. Are you saying above that the action is reset both?

Re: vulnerability block action

PanIst — Fri, 19 Sep 2014 07:25:30 GMT

but we choose block not default.There is something wrong here.Block = reset both

Re: vulnerability block action

HULK — Fri, 19 Sep 2014 15:08:59 GMT

Hello Panlst,

My apologies, i understand it wrongly. You are correct, As per the DOC: Vulnerability Profile Actions if traffic is hitting this vulnerability-protection rule, it should simply drop all packets for that session.

Could you please provide a snapshot of the traffic logs and security rule, just to confirm the vulnerability rule "ALL" applied to the correct policy.

Thanks

Re: vulnerability block action

Retired Member — Fri, 26 Sep 2014 20:58:13 GMT

Hi HULK;

I replicated that.

Here are the screens.I think there is something wrong with definitions or explanations.

Re: vulnerability block action

kfindlen — Fri, 26 Sep 2014 21:21:50 GMT

The default action is defined by Palo Alto Networks on a per-threat basis as either alert or block.

Every vulnerability has a "block" behavior. Some block behaviors send a reset to the server or client, or in this case, both. For this example the default action is block, and the block behavior is reset-both. Even though the action being taken is block, the threat log will show the block behavior that was used to terminate the session under the action column.

Quick edit:

If you want to change the "block" behavior for a threat, you must configure an exception.

Re: vulnerability block action

Retired Member — Fri, 26 Sep 2014 21:25:23 GMT

Thanks for answer.

So block behaviour should be added somewhere on the guides as definiton also I think.

Re: vulnerability block action

Aryanto — Sat, 31 Dec 2022 09:20:58 GMT

It's hard form me make Definition to any of this Threat ID, Like XMRig Miner Command and Control Traffic Detection(85886) or MVPower DVR Shell Unauthenticated Command Execution Vulnerability(57566).
Do you have any guide or E-Book for make any definition of Threat ID.