Brute Force Signatures

Showing results for 
Search instead for 
Did you mean: 

Brute Force Signatures

Not applicable

hi : In regard to Brute Force Vulnerability Signatures 40015 (ssh) and 40021 (rdp) :

Why is there not a way to permanently block an IP number that exceeds the configured  Number of Hits per time period? Is this possibly in the works fro a future release?


L3 Networker

Currently there is no way to automatically block IPs permanently using brute force signatures.  There is a user-configurable black-hole timeout value, with a maximum of 1 hour.  However, you can list the current black hole IPs through the CLI and periodically add repeat offenders to a policy that permanently blocks those addresses. 

hi tettema

where can i find the black-hole configuration?  or is it only from CLI?  I'm using the latest PAN-OS 4.1.0 on a PA2020...  and I get tons of brute-force attempts on various servers behind the PA2020...  oh, my PA2020 is running in transparent (vwire) mode....


- ron

Hi Ron,

Select the brute force signature(s) you're interested in the Exceptions tab, and choose the action "block-ip".  Then a pop-up will appear asking you how long you want to block the IP.

thanks!  it seems to work well...  🙂

what i did was clone the "strict" policy and added the exceptions and set them to "block-ip" for 3600 (1 hour)...  i assume that the rest of the "strict" policy still applies but the exceptions would take over when they are met?

i mean, like if the brute-force RDP is seen, it would block-ip instead of just "drop-all=packets"...  but if the PA2020 sees a remote stack overflow, it would still "drop-all-packets"...


- ron

hi : Thanks for the information. What is the CLI command that shows the current temporary blackholes.

show dos-protection zone [zone] blocked source

Yes, actions specified per signature in the exceptions tab override actions specified in rules that contain that same signature.


it seems block-ip doesn't work for SMB or FTP attacks...  when PA detects the brute-force attack, it shows "block-ip" but the attacks continue almost endlessly until i block it on the router (before PA)...

is there any workaround for this?



When you configure the block-ip action for a brute force signature, you can specify a time span for the block, which currently goes up to 1 hour.  You should not see successful attempts from the sampe IP against the same IP that occur inside of the time you've specified for the block-ip action.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!