https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150843#M50030 <P>I'll see if I can find this....</P> Mon, 03 Apr 2017 13:03:07 GMT DPoppleton 2017-04-03T13:03:07Z https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150587#M49982 <P>Occaisionally we get an attack from a single IP to one of our external servers where the attacker tries a whole bunch of known exploits. Is there anything like a "Zone Protection" for this type of attack? I'm looking for something where an external bad actor gets blacklisted for a period of time after it tries a number of expolits.</P> Fri, 31 Mar 2017 14:55:28 GMT https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150587#M49982 DPoppleton 2017-03-31T14:55:28Z https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150605#M49984 <P>there may be a more direct, better way, but what immediately comes to mind to me is if you have a threat prevention license and these are actual CVEs already known by PA, you can configure the vulnerability protection profile to have an action of Block IP which will shun the offending IP for up to an hour.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Capture.JPG" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8587i091357CCEF6B5536/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 31 Mar 2017 15:37:04 GMT https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150605#M49984 bradk14 2017-03-31T15:37:04Z https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150608#M49986 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/48237">@DPoppleton</a>,</P> <P>&nbsp;</P> <P>I think you need DoS protection ?</P> <P>&nbsp;</P> <P><SPAN>A classified DOS protection profile allows the creation of a threshold that applies to a single source IP.</SPAN></P> <P>For example, a max session rate per IP can be created for all traffic matching the policy, then block that single IP address once the threshold is triggered for a certain amount of time which is configurable.</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Set-Up-DoS-Protection/ta-p/71164" target="_blank">https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Set-Up-DoS-Protection/ta-p/71164</A></P> <P>&nbsp;</P> <P>Hope it helps !</P> <P>-Kiwi</P> <P>&nbsp;</P> Fri, 31 Mar 2017 15:48:12 GMT https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150608#M49986 kiwi 2017-03-31T15:48:12Z https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150842#M50029 <P>These attackers don't hit at a high rate, they just run through known vulnerabilities, most of which the Palo sees and blocks.&nbsp; I would like a feature where if there are 5 hits against one IP of the known vulnerabilties then block all traffic for 1/2 an hour or so.</P><P>&nbsp;</P><P>I'm thinking this might be a feature request.</P> Mon, 03 Apr 2017 13:01:50 GMT https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150842#M50029 DPoppleton 2017-04-03T13:01:50Z https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150843#M50030 <P>I'll see if I can find this....</P> Mon, 03 Apr 2017 13:03:07 GMT https://live.paloaltonetworks.com/t5/general-topics/automatic-attack-block/m-p/150843#M50030 DPoppleton 2017-04-03T13:03:07Z