- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-02-2015 09:23 AM - edited 09-03-2015 02:24 AM
Hello,
This would be possible to implement?
Configure my firewall to make a action for 'automatic blocking an IP for an hour' in a vulnerability scanning.
Objects -> Custom Objects -> Vulnerability
Example: IP auto-block attacker for 1 hour, if 10 times in 10 seconds Any Scan Vulnerability Bash.
I want "OR" condition.
Here. addition to "IP address exemptions" should also have an option of "exemptions region".
Last weekend we suffered a scan vulnerability Bash from different origins (countries). Do you think that might work?
If this worked well It could be a good method to persuade an attacker.
Regards
dicu
09-02-2015 01:02 PM - edited 09-02-2015 01:06 PM
Hi Bradley,
you have "and" condition, you wanted "or", that is the left out of two buttons circled in red square, they should all end up under a single "And condition 1".... as in:
Also, direction should not be both, it is client2server, right? Server will not attack someone 🙂
Besides all this, you will need to include this newly created vulnerability into your existing profile that applies to the security policy protecting this communication, I hope you didn't forget that part of the config 🙂
Regards
09-04-2015 10:43 AM
Hi,
You will see an entry in the threat logs with the action "block-ip". To see the list of currently blocked IPs, use the following command in the CLI:
debug dataplane show dos block-table
If you want to remove an IP address from the block list before the timer goes down to 0 :
clear dos-protection zone <sourcezone> blocked source <ip-addr>
Benjamin
09-02-2015 11:21 AM
Hi COS,
Your screenshots are very small, I can't see any detail. What is in the OR condition? Is there a reason why you did not simply change the timer in the existing Bash remote code execution vulnerabilities? Did you really need a brute-force style vulnerability?
Benjamin
09-02-2015 12:16 PM - edited 09-03-2015 05:13 AM
baudy,
The small screeshot size is due to the forum automatically resizing the images...
Here are links to the full size versions:
https://live.paloaltonetworks.com/t5/image/serverpage/image-id/182i9469721019583E85
https://live.paloaltonetworks.com/t5/image/serverpage/image-id/183iFE1264D72159DFB2
https://live.paloaltonetworks.com/t5/image/serverpage/image-id/184iDA76937EF6AAE73C
https://live.paloaltonetworks.com/t5/image/serverpage/image-id/181i461B7CCB2827410D
EDIT: COS has fixed the images in the original post.
09-02-2015 01:02 PM - edited 09-02-2015 01:06 PM
Hi Bradley,
you have "and" condition, you wanted "or", that is the left out of two buttons circled in red square, they should all end up under a single "And condition 1".... as in:
Also, direction should not be both, it is client2server, right? Server will not attack someone 🙂
Besides all this, you will need to include this newly created vulnerability into your existing profile that applies to the security policy protecting this communication, I hope you didn't forget that part of the config 🙂
Regards
09-04-2015 03:31 AM
Hello
I have two questions about this:
How can I verify that the firewall are blocking the attacking IP?
.. I imagine in the logs (threat). 😉
How can I check the time (timer) that carries a specific IP blocked?
Regards,
dicu
09-04-2015 10:43 AM
Hi,
You will see an entry in the threat logs with the action "block-ip". To see the list of currently blocked IPs, use the following command in the CLI:
debug dataplane show dos block-table
If you want to remove an IP address from the block list before the timer goes down to 0 :
clear dos-protection zone <sourcezone> blocked source <ip-addr>
Benjamin
09-10-2015 01:16 AM
Hello
Interesting commands.
Command quite helpful in unlocking an IP (false positive). I would also add the IP to the list of excluded. because otherwise it is likely that the IPS block again if detects a threat.
Thank you very much everybody.
dicu 😉
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!