Can the Palo Alto Firewall autoguarantine users based on the number of violations they have made for a particular time?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Can the Palo Alto Firewall autoguarantine users based on the number of violations they have made for a particular time?

L6 Presenter

Hello to All,

 

Can the Palo Alto Firewall autoguarantine users based on the number of violations they have made for a particular time?

 

I know that palo alto can add the users or ip addresses to and dynamic group using auto taging with tags (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-group... ) but I do but when I tried to make a Log Filter for the Log Profile I do not see the exact options as to say if a user does 5 threat violations for 60 seconds then to add the tag that will match the dynamic user group that will be added to the security policy to a blocking rule.

 

Log-filter-bad-user.PNG

 

 

 

With Cortex XSOAR I know that using the SIEM logs this can be done but I think there is notive firewall function to do this.

 

https://www.youtube.com/watch?v=X3YLLNv1kpg

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

This may work with profiles that are already time bound like brute-force ((category-of-threatid eq brute-force)), but tracking 'random' threats will require an external SIEM or XSOAR

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

For Brute Force protection also a custom combination signature with "number of hits" can do the job by matching the parameters but it seems for violations better use external automation. Still nowadays many users are behind the same IP address, so better do Brute Force Protection on other dedicated WAF devices that fingerprint the source device than using the NGFW firewall for this job.

 

I am at the moment doing that but without an XSOAR solution as it was not available.

 

I am trying the splunk SIEM to trigger a bash script when a custom alert based on a user triggering too many violations for 60 seconds https://docs.splunk.com/Documentation/SplunkCloud/latest/Alert/Configuringscriptedalerts that has ansible playbook in it and passing parameters to it as users that need the good tag (to block them) http://api-lab.paloaltonetworks.com/registered-user.html 🙂

 

 

Edit:

 

Now I seem to see that Ansible does not have a module for DUG (dynamic user group) just DAG (dynamic address group),  so either the Ansible URI module I will have to use to script it or just the bash script can use curl with a for loop to send the bad users that need to be tagged. Probably no one decided to make Ansible module for DUG which is what it is.

 

https://ansible-pan.readthedocs.io/en/latest/modules/panos_dag_tags_module.html

 

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

This may work with profiles that are already time bound like brute-force ((category-of-threatid eq brute-force)), but tracking 'random' threats will require an external SIEM or XSOAR

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

For Brute Force protection also a custom combination signature with "number of hits" can do the job by matching the parameters but it seems for violations better use external automation. Still nowadays many users are behind the same IP address, so better do Brute Force Protection on other dedicated WAF devices that fingerprint the source device than using the NGFW firewall for this job.

 

I am at the moment doing that but without an XSOAR solution as it was not available.

 

I am trying the splunk SIEM to trigger a bash script when a custom alert based on a user triggering too many violations for 60 seconds https://docs.splunk.com/Documentation/SplunkCloud/latest/Alert/Configuringscriptedalerts that has ansible playbook in it and passing parameters to it as users that need the good tag (to block them) http://api-lab.paloaltonetworks.com/registered-user.html 🙂

 

 

Edit:

 

Now I seem to see that Ansible does not have a module for DUG (dynamic user group) just DAG (dynamic address group),  so either the Ansible URI module I will have to use to script it or just the bash script can use curl with a for loop to send the bad users that need to be tagged. Probably no one decided to make Ansible module for DUG which is what it is.

 

https://ansible-pan.readthedocs.io/en/latest/modules/panos_dag_tags_module.html

 

  • 2 accepted solutions
  • 1138 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!