- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Brute Force Signatures
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Brute Force Signatures
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Brute Force Signatures
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-08-2011 08:19 AM
hi : In regard to Brute Force Vulnerability Signatures 40015 (ssh) and 40021 (rdp) :
Why is there not a way to permanently block an IP number that exceeds the configured Number of Hits per time period? Is this possibly in the works fro a future release?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-08-2011 02:54 PM
Currently there is no way to automatically block IPs permanently using brute force signatures. There is a user-configurable black-hole timeout value, with a maximum of 1 hour. However, you can list the current black hole IPs through the CLI and periodically add repeat offenders to a policy that permanently blocks those addresses.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-12-2011 06:14 PM
hi tettema
where can i find the black-hole configuration? or is it only from CLI? I'm using the latest PAN-OS 4.1.0 on a PA2020... and I get tons of brute-force attempts on various servers behind the PA2020... oh, my PA2020 is running in transparent (vwire) mode....
thanks!
- ron
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-12-2011 06:18 PM
Hi Ron,
Select the brute force signature(s) you're interested in the Exceptions tab, and choose the action "block-ip". Then a pop-up will appear asking you how long you want to block the IP.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-14-2011 02:11 AM
thanks! it seems to work well... 🙂
what i did was clone the "strict" policy and added the exceptions and set them to "block-ip" for 3600 (1 hour)... i assume that the rest of the "strict" policy still applies but the exceptions would take over when they are met?
i mean, like if the brute-force RDP is seen, it would block-ip instead of just "drop-all=packets"... but if the PA2020 sees a remote stack overflow, it would still "drop-all-packets"...
rgds,
- ron
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-14-2011 10:45 AM
hi : Thanks for the information. What is the CLI command that shows the current temporary blackholes.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-14-2011 11:01 AM
show dos-protection zone [zone] blocked source
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-14-2011 11:15 AM
Yes, actions specified per signature in the exceptions tab override actions specified in rules that contain that same signature.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-29-2011 05:20 PM
hi
it seems block-ip doesn't work for SMB or FTP attacks... when PA detects the brute-force attack, it shows "block-ip" but the attacks continue almost endlessly until i block it on the router (before PA)...
is there any workaround for this?
thanks!
ronald
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-03-2012 10:50 AM
When you configure the block-ip action for a brute force signature, you can specify a time span for the block, which currently goes up to 1 hour. You should not see successful attempts from the sampe IP against the same IP that occur inside of the time you've specified for the block-ip action.
- Security Report in General Topics
- Vulnerability wrong action Palo in General Topics
- Getting SMB brute force logs in Threat & Vulnerability Discussions
- SIP Register Message Brute Force Attack in General Topics
- DDOS, Brute force and referer header match options with custom signatures for app-id and vulnerability. in Custom Signatures
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
