03-22-2023 04:08 AM
Hello to All,
Can the Palo Alto Firewall autoguarantine users based on the number of violations they have made for a particular time?
I know that palo alto can add the users or ip addresses to and dynamic group using auto taging with tags (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-group... ) but I do but when I tried to make a Log Filter for the Log Profile I do not see the exact options as to say if a user does 5 threat violations for 60 seconds then to add the tag that will match the dynamic user group that will be added to the security policy to a blocking rule.
With Cortex XSOAR I know that using the SIEM logs this can be done but I think there is notive firewall function to do this.
03-23-2023 01:34 AM
This may work with profiles that are already time bound like brute-force ((category-of-threatid eq brute-force)), but tracking 'random' threats will require an external SIEM or XSOAR
03-23-2023 02:30 AM - edited 03-23-2023 03:07 AM
For Brute Force protection also a custom combination signature with "number of hits" can do the job by matching the parameters but it seems for violations better use external automation. Still nowadays many users are behind the same IP address, so better do Brute Force Protection on other dedicated WAF devices that fingerprint the source device than using the NGFW firewall for this job.
I am at the moment doing that but without an XSOAR solution as it was not available.
I am trying the splunk SIEM to trigger a bash script when a custom alert based on a user triggering too many violations for 60 seconds https://docs.splunk.com/Documentation/SplunkCloud/latest/Alert/Configuringscriptedalerts that has ansible playbook in it and passing parameters to it as users that need the good tag (to block them) http://api-lab.paloaltonetworks.com/registered-user.html 🙂
Edit:
Now I seem to see that Ansible does not have a module for DUG (dynamic user group) just DAG (dynamic address group), so either the Ansible URI module I will have to use to script it or just the bash script can use curl with a for loop to send the bad users that need to be tagged. Probably no one decided to make Ansible module for DUG which is what it is.
https://ansible-pan.readthedocs.io/en/latest/modules/panos_dag_tags_module.html
03-23-2023 01:34 AM
This may work with profiles that are already time bound like brute-force ((category-of-threatid eq brute-force)), but tracking 'random' threats will require an external SIEM or XSOAR
03-23-2023 02:30 AM - edited 03-23-2023 03:07 AM
For Brute Force protection also a custom combination signature with "number of hits" can do the job by matching the parameters but it seems for violations better use external automation. Still nowadays many users are behind the same IP address, so better do Brute Force Protection on other dedicated WAF devices that fingerprint the source device than using the NGFW firewall for this job.
I am at the moment doing that but without an XSOAR solution as it was not available.
I am trying the splunk SIEM to trigger a bash script when a custom alert based on a user triggering too many violations for 60 seconds https://docs.splunk.com/Documentation/SplunkCloud/latest/Alert/Configuringscriptedalerts that has ansible playbook in it and passing parameters to it as users that need the good tag (to block them) http://api-lab.paloaltonetworks.com/registered-user.html 🙂
Edit:
Now I seem to see that Ansible does not have a module for DUG (dynamic user group) just DAG (dynamic address group), so either the Ansible URI module I will have to use to script it or just the bash script can use curl with a for loop to send the bad users that need to be tagged. Probably no one decided to make Ansible module for DUG which is what it is.
https://ansible-pan.readthedocs.io/en/latest/modules/panos_dag_tags_module.html
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
