How can I see what is being blocked?

Reply
L2 Linker

How can I see what is being blocked?

Hello, I am new to Palo Alto... Which report will show what is being blocked? Do I create a Custom Report for that? I am really just interested in seeing what Palo Alto is blocking at this point. We just put it into service last Friday as strickly a Threat prevention/ anti-malware device for now and would like to show the boss - whom I had to convince to buy this - that we are blocking what we said we'd block.

Thanks in advance!

Tags (1)
L4 Transporter

Re: How can I see what is being blocked?

There are basic reports under the monitor tab that run every night around 2 to 4 AM.

You can also create custom reports and have them emailed to you daily.

I would look under the Threat Reports for what you are interested in.

L2 Linker

Re: How can I see what is being blocked?

Take a look at  Monitor/traffic reports     Denied Sources, Denied Destination, unknownTCP, UDP sessions

Hope it helps.

Leo

Not applicable

Re: How can I see what is being blocked?

You wanted to know how to log traffic that is denied. The default deny policy for zone to zone does not log those sessions that are denied by the default denies.

To log this traffic all you need to do is create an any to any default deny or create explicit zone to zone deny policies.

This policy must be place at the bottom of all your policies.

L6 Presenter

Re: How can I see what is being blocked?

by default PAN firewalls don't log the traffic that is blocked by the implied block rule (remember that there is an implied block rule at the bottom of your security policy).

if you want to log "all the rest of the traffc" (ie. traffic that isn't blocked by an existing rule) then you would need to add an explicit block rule to log the blocks that are, by default, done as part of the implied rule.

a rule with the characteristics listed below could be placed at the bottom of your policy list and that would do the trick:

src zone: trust 

dst zone: untrust

src address: any

src user: any

dest addr: any

application: any

service: any

action : deny

profile: none

options: default

this should cause the PAN device to log all the dropped traffic so that you can demonstrate everything that is being blocked to your boss.

reports depend upon logs for their creation. You can see how the implied block rule (which doesn't create logs) would not create the log data that

biggest caveat with an explicit global block rule is that if you choose any/any for the src and dst zones you will cause some undesirable behavior. So make sure to explicitly choose zones on this type of rule. and test in a lab before you do anything in production =)

L2 Linker

Re: How can I see what is being blocked?

Rats - I knew I should have asked for a test box too. I got them to buy 2 HA pairs for production. Get this, my bosses boss, who was the biggest roadblock because Palo Alto doesn't have a Cisco sign above the door like IronPort does, topped the very first Spyware report on day one!

That's poetic justice.

Thanks all for the good answers.

L2 Linker

Re: How can I see what is being blocked?

Thanks...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!