This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How to create a blacklist with certain ip sources?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to create a blacklist with certain ip sources?

SOC_CSG
L4 Transporter

‎10-15-2013 01:39 AM

Hello everybody

The problem I have is this. I have identifed about 70 attacking ips and I like to block completly the traffic from them (I already have and deny-rule in the bottom of my polices but this rule log the traffic). I like to create a rule to deny this traffic or a blacklist to include these ip address avoiding any kind of logging (syslog or SNMP trap)

Could someone help?

Best regards

GonzaloArroyo

0 Likes Likes
3 REPLIES 3

jochristian
L4 Transporter

‎10-15-2013 05:48 AM

Hello,


Not completely sure what you mean here.

But you can turn all logging on a rule off if you go into the rule and "action".

Remove the "Log at Session End" option.

Jo Christian

/Jo Christian
0 Likes Likes

goku123
L7 Applicator

‎10-15-2013 06:01 AM

There are several approaches you could choose from:

- The simplest approach would be to create a security rule higher in your rulebase (eg. test_rule) and list every attacking IP in the source address field of the rule 'test_rule'. To prevent traffic matching this rule from generating any logs, click on the rule>Actions>Log settings. Ensure that both "Log at session start" and "log at session end" are unchecked. Next, ensure that "Log Forwarding" profile is set to "None".

However, if you would like to use some sort of automation or external source to populate this list of source IPs, then you can look into creating the source IP address object using the PAN OS 5.0 features called "Dynamic Block List" or "Dynamic Address Objects".

Some references:

https://live.paloaltonetworks.com/docs/DOC-4121

https://live.paloaltonetworks.com/docs/DOC-5850

https://live.paloaltonetworks.com/docs/DOC-4724

https://live.paloaltonetworks.com/docs/DOC-4118  (Pg 241-242)

SOC_CSG
L4 Transporter
In response to jochristian

‎10-18-2013 02:23 AM

Hi Jo

The rule is my deny-all rule and I want to create another rule before it disabling the logging only for these attacking Ips.

Gonzalo

0 Likes Likes
  • 2716 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks