https://live.paloaltonetworks.com/t5/general-topics/how-to-create-a-blacklist-with-certain-ip-sources/m-p/48738#M35891 <HTML><HEAD></HEAD><BODY><P>Hi Jo</P><P></P><P>The rule is my deny-all rule and I want to create another rule before it disabling the logging only for these attacking Ips. </P><P></P><P>Gonzalo</P></BODY></HTML> Fri, 18 Oct 2013 09:23:20 GMT SOC_CSG 2013-10-18T09:23:20Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-a-blacklist-with-certain-ip-sources/m-p/48735#M35888 <HTML><HEAD></HEAD><BODY><P>Hello everybody</P><P></P><P>The problem I have is this. I have identifed about 70 attacking ips and I like to block completly the traffic from them (I already have and deny-rule in the bottom of my polices but this rule log the traffic). I like to create a rule to deny this traffic or a blacklist to include these ip address avoiding any kind of logging (syslog or SNMP trap)</P><P></P><P>Could someone help?</P><P></P><P>Best regards</P><P></P><P>GonzaloArroyo</P></BODY></HTML> Tue, 15 Oct 2013 08:39:03 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-a-blacklist-with-certain-ip-sources/m-p/48735#M35888 SOC_CSG 2013-10-15T08:39:03Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-a-blacklist-with-certain-ip-sources/m-p/48736#M35889 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P><BR />Not completely sure what you mean here.</P><P>But you can turn all logging on a rule off if you go into the rule and "action".</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Remove the "Log at Session End" option.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"> </SPAN></P><TABLE cellspacing="0" class="x-table-layout" height="154" style="font-family: Tahoma, Arial, Helvetica, sans-serif; background-color: #ebedee; height: 154px; width: 396px;" width="396"><TBODY><TR><TD class="x-table-layout-cell" colspan="1" rowspan="1" style="font-size: 11px;" valign="top"><P class="x-form-label-left"></P><DIV class="x-tab-item x-form-item" style="margin: 0 0 4px; font-family: tahoma, helvetica, arial, sans-serif; color: #222222;"><LABEL class="x-form-item-label" for="ext-comp-6396" style="padding: 3px 3px 3px 0;"></LABEL><DIV class="x-form-element" style="padding: 0 0 0 105px; font-family: Tahoma, Arial, Helvetica, sans-serif;"><DIV class="x-form-check-wrap" style="padding: 3px 0;"><DIV class="x-form-checkbox-inner" style="background-position: no-repeat no-repeat;"><INPUT class="x-form-checkbox x-form-field" name="ext-comp-6396" style="font-family: tahoma, arial, helvetica, sans-serif; font-size: 12px;" tabindex="140" type="checkbox" /><P></P><P class="x-form-cb-indentDiv" style="margin: 0 0 0 21px;"><LABEL class="x-form-cb-label" for="ext-comp-6396" style="padding: 0 3px 0 0;">Log at Session Start</LABEL></P></DIV></DIV></DIV></DIV></TD></TR><TR><TD class="x-table-layout-cell" colspan="1" rowspan="1" style="font-size: 11px;" valign="top"><P class="x-form-label-left"></P><DIV class="x-tab-item x-form-item" style="margin: 0 0 4px; font-family: tahoma, helvetica, arial, sans-serif; color: #222222;"><LABEL class="x-form-item-label" for="ext-comp-6398" style="padding: 3px 3px 3px 0;"></LABEL><DIV class="x-form-element" style="padding: 0 0 0 105px; font-family: Tahoma, Arial, Helvetica, sans-serif;"><DIV class="x-form-check-wrap" style="padding: 3px 0;"><DIV class="x-form-check-checked x-form-checkbox-inner" style="background-position: no-repeat no-repeat;"><INPUT checked="checked" class="x-form-checkbox x-form-field" name="ext-comp-6398" style="font-family: tahoma, arial, helvetica, sans-serif; font-size: 12px;" tabindex="141" type="checkbox" /><P></P><P class="x-form-cb-indentDiv" style="margin: 0 0 0 21px;"><LABEL class="x-form-cb-label" for="ext-comp-6398" style="padding: 0 3px 0 0;">Log at Session End</LABEL></P></DIV></DIV></DIV></DIV></TD></TR></TBODY></TABLE><P></P><P>Jo Christian</P></BODY></HTML> Tue, 15 Oct 2013 12:48:28 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-a-blacklist-with-certain-ip-sources/m-p/48736#M35889 jochristian 2013-10-15T12:48:28Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-a-blacklist-with-certain-ip-sources/m-p/48737#M35890 <HTML><HEAD></HEAD><BODY><P>There are several approaches you could choose from:</P><P>- The simplest approach would be to create a security rule higher in your rulebase (eg. test_rule) and list every attacking IP in the source address field of the rule 'test_rule'. To prevent traffic matching this rule from generating any logs, click on the rule&gt;Actions&gt;Log settings. Ensure that both "Log at session start" and "log at session end" are unchecked. Next, ensure that "Log Forwarding" profile is set to "None".</P><P></P><P>However, if you would like to use some sort of automation or external source to populate this list of source IPs, then you can look into creating the source IP address object using the PAN OS 5.0 features called "Dynamic Block List" or "Dynamic Address Objects".</P><P>Some references:</P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4121">https://live.paloaltonetworks.com/docs/DOC-4121</A></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-5850">https://live.paloaltonetworks.com/docs/DOC-5850</A></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4724">https://live.paloaltonetworks.com/docs/DOC-4724</A></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4118">https://live.paloaltonetworks.com/docs/DOC-4118</A>&nbsp; (Pg 241-242)</P></BODY></HTML> Tue, 15 Oct 2013 13:01:24 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-a-blacklist-with-certain-ip-sources/m-p/48737#M35890 goku123 2013-10-15T13:01:24Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-a-blacklist-with-certain-ip-sources/m-p/48738#M35891 <HTML><HEAD></HEAD><BODY><P>Hi Jo</P><P></P><P>The rule is my deny-all rule and I want to create another rule before it disabling the logging only for these attacking Ips. </P><P></P><P>Gonzalo</P></BODY></HTML> Fri, 18 Oct 2013 09:23:20 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-a-blacklist-with-certain-ip-sources/m-p/48738#M35891 SOC_CSG 2013-10-18T09:23:20Z