This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Automatic email alerts: Sinkhole and security policies

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Automatic email alerts: Sinkhole and security policies

ash83
L2 Linker

‎05-16-2019 03:02 AM

Hi Community,

 

This query is for PAN-OS v8.1.X

 

I am trying to generate an email alert when the firewall sees an (action eq sinkhole) event or when the security policy created to sinkhole an infected host is used. Email Profile(s) have already configured and so has Sinkhole.

 

What is the best way to configure both, the email alert for the (action eq sinkhole) or any other Log-Threat entry, and also, when a specific security policy is used?

 

Lastly, is it possible to generate a dynamic object including source IPs that have already been blocked by the firewall after detecting a vulnerability? The idea is to block access to IPs that already attempted an attack and were blocked by the firewall in the past.

 

panw-highrisk-ip-list and panw-known-ip-list do not seem to be very effective as only one IP: 80.211.52.246 has been detected in almost 5 days.

 

Thanks.

Ho

 

0 Likes Likes
1 REPLY 1

BPry
Cyber Elite
Cyber Elite

‎05-16-2019 01:53 PM

@ash83,

For alerting you would really want to build out a Log Setting profile. This will allow you to setup the filter that you want and then specify the actions you wish to take when the firewall sees anything matching your filter. Documentation can be found HERE.

You could also setup an additional Log Forwarding profile if you want to alert on security policy activity. You can get pretty detailed here about when and how you want to be alerted, and what should actually trigger an alert. That documentation can be found HERE.

 

There's a few ways you can do that last question. You could utilize a Vulnerability Protection Profile specific to external connections and set the Action to "Block IP" and specify your desired duration ( up-to 3600 seconds) to prevent continual requests from the same address in quick succession. You could also utilize something like MineMeld to build an EDL based off  of the alerts the firewall generates. More powerful SIEMs such as Splunk can also incorporate these logs and the MineMeld API to automatically feed indicators into MineMeld based off of the firewall logs for you without manual entry. 

 

 

0 Likes Likes
  • 3354 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks