is it safe to raise "action" to block?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

is it safe to raise "action" to block?

L2 Linker

hi

i noticed that in some "critical", "high" and "medium" severity vulnerabilities, the default action is just "alert"... especially those brute-force attempts.

at the moment, our system is set for default to take care of these.  however, i remember a thread here advising to set the action to "block" for medium severity on the server side vulnerabilities...  is it safe to set action to "block" for "critical", "high" and "medium" severity for server side?  will this break applications?

thanks!

rgds,

- ron

7 REPLIES 7

L4 Transporter

Ronaldgoh wrote:

hi

i noticed that in some "critical", "high" and "medium" severity vulnerabilities, the default action is just "alert"... especially those brute-force attempts.

at the moment, our system is set for default to take care of these.  however, i remember a thread here advising to set the action to "block" for medium severity on the server side vulnerabilities...  is it safe to set action to "block" for "critical", "high" and "medium" severity for server side?  will this break applications?

thanks!

rgds,

- ron

If you raise your level to "block" and the threat is detected the firewall will, as the name suggests, block the traffic from transitting.

Now, if you're 100% sure the threats being detected are valid, then I suggest you might want to block them.

If, however, you're worried about false positives - then don't. The block action may well break soemthing, especially if it triggers a positive threat detection when it's not really a threat.

"Alert" is good if you have time to sit and watch threat logs, and can get on top of reported threats immediately - if you're like msot people and DON'T have this time, then block is a good option. Depends how paranoid you are, and how critical potentially blocking a valid action might be.

Cheers

If you raise your level to "block" and the threat is detected the  firewall will, as the name suggests, block the traffic from transitting.

Now, if you're 100% sure the threats being detected are valid, then I suggest you might want to block them.

If,  however, you're worried about false positives - then don't. The block  action may well break soemthing, especially if it triggers a positive  threat detection when it's not really a threat.

"Alert"  is good if you have time to sit and watch threat logs, and can get on  top of reported threats immediately - if you're like msot people and  DON'T have this time, then block is a good option. Depends how paranoid  you are, and how critical potentially blocking a valid action might be.

Hi! I just checked and it doesn`t seem to be possible to export this list of vulnerabilities and default actions when you go Objects> Antivirus, Anti-spyware and Vulnerability Protection and then choose New - Custom.

Where is the list available in printable format?

Your quick answer would be much appreciated.

Regards.

Hi,

In 4.0 you can view all the signatures along with their default actions by creating or opening a profile, and clicking "custom".  From there you can page through all the signatures and see their default actions.  Similarly, in 4.1, you'll have the same capability in the Exceptions tab.

While this can get you the data you're looking for, it is still page-by-page, and not readily printable.  However, we do have a feature coming down the pipeline that will allow you to perform a CSV export of all signatures in a given profile.  You will be able to use this feature with a wildcare profile to get the report you're looking for.

Hi,

Also, there are some companies which prefer to have very strict security and they will choose block as the action. On the other hand if service availablity is much more important you better choose medium and review specific sig on and off.

L1 Bithead
While this can get you the data you're looking for, it is still 
page-by-page, and not readily printable.  However, we do have a feature
coming down the pipeline that will allow you to perform a CSV export of
all signatures in a given profile.  You will be able to use this feature
with a wildcare profile to get the report you're looking for.

Hi!

Can you please advise in which version the feature will be enabled to export the vulnerability information in CSV?

Regards.

L2 Linker

I've raised action to block for a lot of the brute-force attacks... and the status on the monitor shows "drop-all-packets"... but the attacks kept continuing...  is there a setting to stop the connection for 10 minutes or more?

even though the packets are dropped (according to PA monitor), thje attackers seem to just continue with the brute force attacks on our systems...  it's quite irritating and i suspect eventually they might be able to get through...

wish PA can change the way it responds to brute force threats...

- ron

Hi,

Yes for brute force attack we can have time based block ip as action.

Go to object -> Vul profiles -> choose custom and click on the small "pencil" icon of the brute force sig to configure it.

  • 10598 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!