Blocking darknet hits

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking darknet hits

L0 Member

Is it possible to implement a darknet on PAN OS 4.1?  I have a number of publically addressable subnets that aren't in use and I'd like to block all traffic, for some period of time, from Internet-based hosts who hit those subnets.  I currently have rules in place to drop traffic to those subnets, but I'd like to take the additional action of blocking all other traffic from hosts that attempt to access those subnets.

3 REPLIES 3

L6 Presenter

Im not sure I understand what you are requesting.

In order to block traffic from passing through your PA device you setup one (or more) security rules that will drop this traffic. If you dont care to know when its blocked you can disable logging for these security rules.

Otherwise, or in combination, you can use null routing in your internet router which I assume your PA is connected to (or for that matter use an ACL in your internet router aswell to tripple the "protection" on where traffic to/from these particular hosts are being dropped).

I'll try and clarify:

If an Internet-based host sends any kind of traffic to my dark/unused subnets, then I want to block all of their traffic for 10 minutes, even if their traffic is going to legitimate subnets on my network.

My addresses are publically routable, but as an example let's say I own 172.16.0.0/16.

Let's say that 172.16.1.0/24 isn't in use, but 172.16.2.0/24 is.

If 5.6.7.8 attempts to scan 172.16.1.0/24 then I want to block all of his traffic, including any attempts to communicate with anything on 172.16.2.0/24.  Host 5.6.7.8 has indicated that he is doing "bad things" because he is attempting to communicate with a subnet that isn't even in use.  Therefore any further network traffic from him should be considered suspect and I would like to drop all of his traffic for the next 10 minutes.

It would seem that it might be possible with Zone Protection or DoS protection, but since I new to PA I'm still learning how it works.

As far as I know, the Zone Protection can have an action of Block-IP

—This action blocks traffic from either a source or a source-destination pair

(configurable) for a specified period of time. This action is available for spyware phone

home profiles, custom vulnerability protection profiles, zone protection profiles, and DoS

protection rules.

Please note that this is for Profiles.. as if in Threats and AV.. if they "match" and DoS settings is if they are attempting to repeat a function,

but we do not have anything in place to block for a certain time if they access IP x.x.x.x.

This functionality would be considered a "Feature Request" and all Feature Requests go through your local SE.

I recommend that you look through the Admin Guides and search for "Block-IP" for the partial functions that you require.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
  • 2500 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!