11-23-2018 04:09 AM
Hi.
I have a question about a scenario. Can Pan-OS/Firewall detected a infected host/client pc and take the following action.
Blocking internett access from the infected hosts/client pc and move the infected host to a another security zone?
OR
Just move the infected host to a "security" zone that don't have access to internet?
11-23-2018 04:30 AM
Hi @tonyle
No, not directly (not like 802.1X)
Any infected connections will be blocked but other connections will be allowed to pass through
There are a few workarounds to this need: you could set up log forwarding and trigger syslog messages when an infection is blocked, on the syslog server you could trigger API calls that add the hosts' IP to a dynamic block list or use some other mechanism to feed an external dynamic list
11-24-2018 08:00 AM
Hi @tonyle
With built in actions in log forwarding profiles you can add tags to IPs that are "infected". The definition of "infected" you need to build with a log filter (like hosts that download malware or hosts that connect to C&C servers ...). After that you need to create a dynamic address group based on the tag that you automatically add to IPs that match your filter and this dynamic address group you can then reference in a security policy that blocks the internet access.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
