How to create a blacklist with certain ip sources?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to create a blacklist with certain ip sources?

L4 Transporter

Hello everybody

The problem I have is this. I have identifed about 70 attacking ips and I like to block completly the traffic from them (I already have and deny-rule in the bottom of my polices but this rule log the traffic). I like to create a rule to deny this traffic or a blacklist to include these ip address avoiding any kind of logging (syslog or SNMP trap)

Could someone help?

Best regards

GonzaloArroyo

3 REPLIES 3

L4 Transporter

Hello,


Not completely sure what you mean here.

But you can turn all logging on a rule off if you go into the rule and "action".

Remove the "Log at Session End" option.

Jo Christian

/Jo Christian

L7 Applicator

There are several approaches you could choose from:

- The simplest approach would be to create a security rule higher in your rulebase (eg. test_rule) and list every attacking IP in the source address field of the rule 'test_rule'. To prevent traffic matching this rule from generating any logs, click on the rule>Actions>Log settings. Ensure that both "Log at session start" and "log at session end" are unchecked. Next, ensure that "Log Forwarding" profile is set to "None".

However, if you would like to use some sort of automation or external source to populate this list of source IPs, then you can look into creating the source IP address object using the PAN OS 5.0 features called "Dynamic Block List" or "Dynamic Address Objects".

Some references:

https://live.paloaltonetworks.com/docs/DOC-4121

https://live.paloaltonetworks.com/docs/DOC-5850

https://live.paloaltonetworks.com/docs/DOC-4724

https://live.paloaltonetworks.com/docs/DOC-4118  (Pg 241-242)

Hi Jo

The rule is my deny-all rule and I want to create another rule before it disabling the logging only for these attacking Ips.

Gonzalo

  • 2381 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!