topic Re: Can Pan-os take action base on rules, condition or report? in General Topics

Can Pan-os take action base on rules, condition or report?

tonyle — Fri, 23 Nov 2018 12:09:26 GMT

Hi.

I have a question about a scenario. Can Pan-OS/Firewall detected a infected host/client pc and take the following action.

Blocking internett access from the infected hosts/client pc and move the infected host to a another security zone?

Just move the infected host to a "security" zone that don't have access to internet?

Re: Can Pan-os take action base on rules, condition or report?

reaper — Fri, 23 Nov 2018 12:30:52 GMT

Hi @tonyle

No, not directly (not like 802.1X)

Any infected connections will be blocked but other connections will be allowed to pass through

There are a few workarounds to this need: you could set up log forwarding and trigger syslog messages when an infection is blocked, on the syslog server you could trigger API calls that add the hosts' IP to a dynamic block list or use some other mechanism to feed an external dynamic list

Re: Can Pan-os take action base on rules, condition or report?

Remo — Sat, 24 Nov 2018 16:00:05 GMT

Hi @tonyle

With built in actions in log forwarding profiles you can add tags to IPs that are "infected". The definition of "infected" you need to build with a log filter (like hosts that download malware or hosts that connect to C&C servers ...). After that you need to create a dynamic address group based on the tag that you automatically add to IPs that match your filter and this dynamic address group you can then reference in a security policy that blocks the internet access.