How to block people who are trying to exploid vulnabillities for a period of time

Reply
Not applicable

How to block people who are trying to exploid vulnabillities for a period of time

Hello everyone,

Our PA's are using the thread prevention system which drops traffic that is trying to exploid vulnabillities, do DoS attacks etc.

All works very nice - but it's only affecting the attempt on an individual basis.

F. ex. - someone performs a "DNS ANY Queries Brute Force DOS Attack" and gets blocked. But then the same source re-tries shortly after. And again and again.

I'm looking for a way to automatically block the source IP for a period of time.

Say that source IP 119.147.138.171 gets caught trying to do a "DNS ANY Queries Brute Force DOS Attack". If the source IP does this a number of times - then this IP should be completly blocked for a prolonged period of time - f. ex 24h

Now the big question is - how do we do that ?

Br

Jørgen


Accepted Solutions
L4 Transporter

You can indeed do this. In PAN-OS 4.0, a new action called block-ip was introduced. You can block based on source IP or source and destination IP pair. You can use this action in the vulnerability protection profile > Exceptions, find the signature and change the action to block-ip. Set the time from 1-3600 seconds.

On the zone protection profile, you can also use the block-ip action associated with the reconnaissance protection for port scans and host sweeps.

View solution in original post


All Replies
L6 Presenter

I guess the short answer is: contact your Sales Engineer to file this as a feature request.

PA have today two methods to deal with annoying clients (over time): zone protection and dos protection (unfortunately none of them can today be used as you requested as I know).

Check out for more information.

L4 Transporter

You can indeed do this. In PAN-OS 4.0, a new action called block-ip was introduced. You can block based on source IP or source and destination IP pair. You can use this action in the vulnerability protection profile > Exceptions, find the signature and change the action to block-ip. Set the time from 1-3600 seconds.

On the zone protection profile, you can also use the block-ip action associated with the reconnaissance protection for port scans and host sweeps.

View solution in original post

L6 Presenter

*doh* forgot about that one :-)

When block-ip is activated, will each attempt from the blocked client still be logged (or if the PA box will no longer log the client attempts - can one override it so it will)?

Not applicable

Spot on - thanks a lot :smileyhappy:

Br

Jørgen

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!