The problem I have is this. I have identifed about 70 attacking ips and I like to block completly the traffic from them (I already have and deny-rule in the bottom of my polices but this rule log the traffic). I like to create a rule to deny this traffic or a blacklist to include these ip address avoiding any kind of logging (syslog or SNMP trap)
Could someone help?
There are several approaches you could choose from:
- The simplest approach would be to create a security rule higher in your rulebase (eg. test_rule) and list every attacking IP in the source address field of the rule 'test_rule'. To prevent traffic matching this rule from generating any logs, click on the rule>Actions>Log settings. Ensure that both "Log at session start" and "log at session end" are unchecked. Next, ensure that "Log Forwarding" profile is set to "None".
However, if you would like to use some sort of automation or external source to populate this list of source IPs, then you can look into creating the source IP address object using the PAN OS 5.0 features called "Dynamic Block List" or "Dynamic Address Objects".
https://live.paloaltonetworks.com/docs/DOC-4118 (Pg 241-242)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!