topic How can I see what is being blocked? in General Topics

How can I see what is being blocked?

CWillms — Mon, 30 Aug 2010 18:14:52 GMT

Hello, I am new to Palo Alto... Which report will show what is being blocked? Do I create a Custom Report for that? I am really just interested in seeing what Palo Alto is blocking at this point. We just put it into service last Friday as strickly a Threat prevention/ anti-malware device for now and would like to show the boss - whom I had to convince to buy this - that we are blocking what we said we'd block.

Thanks in advance!

Re: How can I see what is being blocked?

mharding — Mon, 30 Aug 2010 18:41:00 GMT

There are basic reports under the monitor tab that run every night around 2 to 4 AM.

You can also create custom reports and have them emailed to you daily.

I would look under the Threat Reports for what you are interested in.

Re: How can I see what is being blocked?

leole — Tue, 31 Aug 2010 21:51:17 GMT

Take a look at Monitor/traffic reports Denied Sources, Denied Destination, unknownTCP, UDP sessions

Hope it helps.

Leo

Re: How can I see what is being blocked?

mthomasson — Wed, 01 Sep 2010 00:21:28 GMT

You wanted to know how to log traffic that is denied. The default deny policy for zone to zone does not log those sessions that are denied by the default denies.

To log this traffic all you need to do is create an any to any default deny or create explicit zone to zone deny policies.

This policy must be place at the bottom of all your policies.

Re: How can I see what is being blocked?

bpappas — Wed, 01 Sep 2010 02:43:35 GMT

by default PAN firewalls don't log the traffic that is blocked by the implied block rule (remember that there is an implied block rule at the bottom of your security policy).

if you want to log "all the rest of the traffc" (ie. traffic that isn't blocked by an existing rule) then you would need to add an explicit block rule to log the blocks that are, by default, done as part of the implied rule.

a rule with the characteristics listed below could be placed at the bottom of your policy list and that would do the trick:

src zone: trust

dst zone: untrust

src address: any

src user: any

dest addr: any

application: any

service: any

action : deny

profile: none

options: default

this should cause the PAN device to log all the dropped traffic so that you can demonstrate everything that is being blocked to your boss.

reports depend upon logs for their creation. You can see how the implied block rule (which doesn't create logs) would not create the log data that

biggest caveat with an explicit global block rule is that if you choose any/any for the src and dst zones you will cause some undesirable behavior. So make sure to explicitly choose zones on this type of rule. and test in a lab before you do anything in production 😃

Re: How can I see what is being blocked?

CWillms — Sat, 04 Sep 2010 02:03:00 GMT

Rats - I knew I should have asked for a test box too. I got them to buy 2 HA pairs for production. Get this, my bosses boss, who was the biggest roadblock because Palo Alto doesn't have a Cisco sign above the door like IronPort does, topped the very first Spyware report on day one!

That's poetic justice.

Thanks all for the good answers.

Re: How can I see what is being blocked?

CWillms — Sat, 04 Sep 2010 02:05:06 GMT

Thanks...