This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Log Forwarding / Dynamic Address List

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Log Forwarding / Dynamic Address List

SARowe_NZ
L3 Networker

‎12-18-2017 05:59 PM

Hi,

 

We are trying to use the cool new "built-in actions" / tagging feature available through Log Forwarding to tag source IP addresses that generate high/critical threat events to build a dynamic address list that will ultimately be used in a policy to block offending traffic.

 

We have a PA 3050 which allows up to 5000 dynamic address list entries, and based on a review of the logs we have had about 400 source addresses that would match the above criteria inside the last 2 months; meaning we would reach the max number relatively quickly.

 

We are mostly interested in blocking IP addresses that have tried multiple times in a relatively short space of time, more indicative of a targetted attack rather than a passing scan. e.g. 20 times in the last 15 minutes.

 

I thought I could use the "Repeat Count" field, however this works off the last 5 seconds and so does not catch most of the traffic I see in the logs and am wanting to catch.

 

Then I thought I could do a 3 strikes type approach where it gets tagged with yellow the 1st time, tagged orange if it is seen again and has a tag of yellow, and tagged red if it is seen again and already has a tag of yellow and orange but there appears to be no option to build a filter off existing tags.

 

Has anyone tried to do something similar to what we are looking at? 

 

Really keen to hear others ideas or how they are using the Built-in Actions available under Log Forwarding.

 

Also - for dynamic address lists with a high number of entries, is there any performance hit? The concern is that, for legitimate traffic waiting to hit an allow policy further down the list, does it get held up waiting to match one of 5000 entries in the dynamic address list?

 

Thanks!

Shannon

 

 

 

 

 

 

1 person had this problem.
0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎12-19-2017 06:55 AM

@SARowe_NZ,

I would say that MineMeld is probably a more proper fit for what you are trying to accomplish. Have you taken a look at that option? 

NicholaHidalgo
L0 Member

‎02-17-2019 11:21 AM

did you evern find a solution for this. I would like to do the same.

0 Likes Likes
  • 2909 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks