06-25-2012 02:14 PM
Hello everyone,
Our PA's are using the thread prevention system which drops traffic that is trying to exploid vulnabillities, do DoS attacks etc.
All works very nice - but it's only affecting the attempt on an individual basis.
F. ex. - someone performs a "DNS ANY Queries Brute Force DOS Attack" and gets blocked. But then the same source re-tries shortly after. And again and again.
I'm looking for a way to automatically block the source IP for a period of time.
Say that source IP 119.147.138.171 gets caught trying to do a "DNS ANY Queries Brute Force DOS Attack". If the source IP does this a number of times - then this IP should be completly blocked for a prolonged period of time - f. ex 24h
Now the big question is - how do we do that ?
Br
Jørgen
06-26-2012 08:23 AM
You can indeed do this. In PAN-OS 4.0, a new action called block-ip was introduced. You can block based on source IP or source and destination IP pair. You can use this action in the vulnerability protection profile > Exceptions, find the signature and change the action to block-ip. Set the time from 1-3600 seconds.
On the zone protection profile, you can also use the block-ip action associated with the reconnaissance protection for port scans and host sweeps.
06-25-2012 11:59 PM
I guess the short answer is: contact your Sales Engineer to file this as a feature request.
PA have today two methods to deal with annoying clients (over time): zone protection and dos protection (unfortunately none of them can today be used as you requested as I know).
06-26-2012 08:23 AM
You can indeed do this. In PAN-OS 4.0, a new action called block-ip was introduced. You can block based on source IP or source and destination IP pair. You can use this action in the vulnerability protection profile > Exceptions, find the signature and change the action to block-ip. Set the time from 1-3600 seconds.
On the zone protection profile, you can also use the block-ip action associated with the reconnaissance protection for port scans and host sweeps.
06-26-2012 11:44 AM
*doh* forgot about that one 🙂
When block-ip is activated, will each attempt from the blocked client still be logged (or if the PA box will no longer log the client attempts - can one override it so it will)?
06-27-2012 09:08 AM
Spot on - thanks a lot 
Br
Jørgen
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
