- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-16-2011 05:56 PM
hi
i noticed that in some "critical", "high" and "medium" severity vulnerabilities, the default action is just "alert"... especially those brute-force attempts.
at the moment, our system is set for default to take care of these. however, i remember a thread here advising to set the action to "block" for medium severity on the server side vulnerabilities... is it safe to set action to "block" for "critical", "high" and "medium" severity for server side? will this break applications?
thanks!
rgds,
- ron
06-16-2011 10:07 PM
Ronaldgoh wrote:
hi
i noticed that in some "critical", "high" and "medium" severity vulnerabilities, the default action is just "alert"... especially those brute-force attempts.
at the moment, our system is set for default to take care of these. however, i remember a thread here advising to set the action to "block" for medium severity on the server side vulnerabilities... is it safe to set action to "block" for "critical", "high" and "medium" severity for server side? will this break applications?
thanks!
rgds,
- ron
If you raise your level to "block" and the threat is detected the firewall will, as the name suggests, block the traffic from transitting.
Now, if you're 100% sure the threats being detected are valid, then I suggest you might want to block them.
If, however, you're worried about false positives - then don't. The block action may well break soemthing, especially if it triggers a positive threat detection when it's not really a threat.
"Alert" is good if you have time to sit and watch threat logs, and can get on top of reported threats immediately - if you're like msot people and DON'T have this time, then block is a good option. Depends how paranoid you are, and how critical potentially blocking a valid action might be.
Cheers
09-16-2011 07:00 AM
If you raise your level to "block" and the threat is detected the firewall will, as the name suggests, block the traffic from transitting.
Now, if you're 100% sure the threats being detected are valid, then I suggest you might want to block them.
If, however, you're worried about false positives - then don't. The block action may well break soemthing, especially if it triggers a positive threat detection when it's not really a threat.
"Alert" is good if you have time to sit and watch threat logs, and can get on top of reported threats immediately - if you're like msot people and DON'T have this time, then block is a good option. Depends how paranoid you are, and how critical potentially blocking a valid action might be.
Hi! I just checked and it doesn`t seem to be possible to export this list of vulnerabilities and default actions when you go Objects> Antivirus, Anti-spyware and Vulnerability Protection and then choose New - Custom.
Where is the list available in printable format?
Your quick answer would be much appreciated.
Regards.
09-16-2011 03:26 PM
Hi,
In 4.0 you can view all the signatures along with their default actions by creating or opening a profile, and clicking "custom". From there you can page through all the signatures and see their default actions. Similarly, in 4.1, you'll have the same capability in the Exceptions tab.
While this can get you the data you're looking for, it is still page-by-page, and not readily printable. However, we do have a feature coming down the pipeline that will allow you to perform a CSV export of all signatures in a given profile. You will be able to use this feature with a wildcare profile to get the report you're looking for.
09-17-2011 12:41 AM
Hi,
Also, there are some companies which prefer to have very strict security and they will choose block as the action. On the other hand if service availablity is much more important you better choose medium and review specific sig on and off.
09-19-2011 01:37 AM
While this can get you the data you're looking for, it is still
page-by-page, and not readily printable. However, we do have a feature
coming down the pipeline that will allow you to perform a CSV export of
all signatures in a given profile. You will be able to use this feature
with a wildcare profile to get the report you're looking for.
Hi!
Can you please advise in which version the feature will be enabled to export the vulnerability information in CSV?
Regards.
09-19-2011 11:01 PM
I've raised action to block for a lot of the brute-force attacks... and the status on the monitor shows "drop-all-packets"... but the attacks kept continuing... is there a setting to stop the connection for 10 minutes or more?
even though the packets are dropped (according to PA monitor), thje attackers seem to just continue with the brute force attacks on our systems... it's quite irritating and i suspect eventually they might be able to get through...
wish PA can change the way it responds to brute force threats...
- ron
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!