Log Forwarding / Dynamic Address List

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Log Forwarding / Dynamic Address List

L3 Networker

Hi,

 

We are trying to use the cool new "built-in actions" / tagging feature available through Log Forwarding to tag source IP addresses that generate high/critical threat events to build a dynamic address list that will ultimately be used in a policy to block offending traffic.

 

We have a PA 3050 which allows up to 5000 dynamic address list entries, and based on a review of the logs we have had about 400 source addresses that would match the above criteria inside the last 2 months; meaning we would reach the max number relatively quickly.

 

We are mostly interested in blocking IP addresses that have tried multiple times in a relatively short space of time, more indicative of a targetted attack rather than a passing scan. e.g. 20 times in the last 15 minutes.

 

I thought I could use the "Repeat Count" field, however this works off the last 5 seconds and so does not catch most of the traffic I see in the logs and am wanting to catch.

 

Then I thought I could do a 3 strikes type approach where it gets tagged with yellow the 1st time, tagged orange if it is seen again and has a tag of yellow, and tagged red if it is seen again and already has a tag of yellow and orange but there appears to be no option to build a filter off existing tags.

 

Has anyone tried to do something similar to what we are looking at? 

 

Really keen to hear others ideas or how they are using the Built-in Actions available under Log Forwarding.

 

Also - for dynamic address lists with a high number of entries, is there any performance hit? The concern is that, for legitimate traffic waiting to hit an allow policy further down the list, does it get held up waiting to match one of 5000 entries in the dynamic address list?

 

Thanks!

Shannon

 

 

 

 

 

 

2 REPLIES 2

Cyber Elite
Cyber Elite

@SARowe_NZ,

I would say that MineMeld is probably a more proper fit for what you are trying to accomplish. Have you taken a look at that option? 

L0 Member

did you evern find a solution for this. I would like to do the same.

  • 2628 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!