We are trying to use the cool new "built-in actions" / tagging feature available through Log Forwarding to tag source IP addresses that generate high/critical threat events to build a dynamic address list that will ultimately be used in a policy to block offending traffic.
We have a PA 3050 which allows up to 5000 dynamic address list entries, and based on a review of the logs we have had about 400 source addresses that would match the above criteria inside the last 2 months; meaning we would reach the max number relatively quickly.
We are mostly interested in blocking IP addresses that have tried multiple times in a relatively short space of time, more indicative of a targetted attack rather than a passing scan. e.g. 20 times in the last 15 minutes.
I thought I could use the "Repeat Count" field, however this works off the last 5 seconds and so does not catch most of the traffic I see in the logs and am wanting to catch.
Then I thought I could do a 3 strikes type approach where it gets tagged with yellow the 1st time, tagged orange if it is seen again and has a tag of yellow, and tagged red if it is seen again and already has a tag of yellow and orange but there appears to be no option to build a filter off existing tags.
Has anyone tried to do something similar to what we are looking at?
Really keen to hear others ideas or how they are using the Built-in Actions available under Log Forwarding.
Also - for dynamic address lists with a high number of entries, is there any performance hit? The concern is that, for legitimate traffic waiting to hit an allow policy further down the list, does it get held up waiting to match one of 5000 entries in the dynamic address list?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!