Automate Block IP

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Automate Block IP

I know there is like brute-force category, where some may have it automatically block the IP for some duration.

I was wondering if there is a way to block IP for x duration if they were doing like a scan against your system, trying multiple vulnerabilities, sometimes the same ones, sometimes moving down the list depending the type of scan.

Like for example, bash vulnerability x5 attempts, I would like to auto ban this guy for 24 hours or something. But if they do it only 3 times, then try like http, cross scripting, ini files, etc, going down their list, how do I auto block those?

Obviously if they trigger like 5 of them in x time period, they are malicious.

Would DoS and Zone protection play into this somehow or something else?

Thanks.

Highlighted
L7 Applicator

Hi googol

You could combine zone and dos protection to protect against network based attacks, like host sweeps and port scans, with the more granular protection of a Vulnerability Protection profile where you can opt to block an ip for a duration based on the vulnerability category and severity:

2015-07-22_10-20-03.png

hope this helps

Tom

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L3 Networker

What I am hoping to do is not do it for any specific category, but if that IP did it using all different sorts of categories in lets say a 30 second span, I want that IP blocked.

I do not want it to be done just for one, or two, but obviously someone with malicious intent and scanning the system or trying something more than what they should be doing.

That way in case there is a false positive vulnerability, I am not accidentally blocking legitimate traffic coming from that IP or going to that IP. By having it pass some threshold of lets say 5 in 30 secs, there is less of a false positive chance and is mitigated.

Highlighted
L2 Linker

Hello, You might need a correlation logic, especially that you mentioned malicious behaviour on different layers (network, application), being able to investigate an extended time interval. Usually this correlation logic is implemented in a distinct product, SIEM like, with huge processing demand for running queries on logs and flows to get a security meaning from disparate events - the firewall's goal is mainly to prevent atomic attempts and the time-related features are compound signatures operating at application level, with session & transaction visibility, zone protection profiles and DoS protection profiles. There are rudiments of correlation logic in PANOS - Botnet report and the correlation objects recently introduced in 7.0, which are looking for indicators of compromise, but maybe it will be easier to rely on a SIEM product to correlate network and threat events during an extended timespan (how many network scans are passing under detection because they occur at large intervals - seconds) and to trigger blocking via scripting (dynamic groups or dynamic block lists used in firewall policies) - implementing the duration of temporary blocking might be a challenge too. Sorry for not providing an opinion with more practical value.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!