03-08-2017 02:18 AM
Hi there
I've played with this feature for a while on my own FW, but must be doing something wrong. I'm adding the log forwarding profile, and when checking the filter I make, I get many log lines. But I don't get any output in the DAG. I've tried with threat and traffic logs.
Documentation is rather slim on this topic. Anyone done this with success, that can share with me the details needed to make it work?
Thanks
03-08-2017 08:05 AM
I've been successful in using it to provide a "block-ip" action that lasts longer than 3600 seconds. This particular one looks for threat-type eq scan, takes the sources of those who are scanning and tags them with a 'scanners' tag. Next, there's a dynamic address group that matches on tag = scanners. Finally, I have a security policy at the top that blocks all inbound traffic from that dynamic address group. So far it's picked up over 400 scanners and doing a semi-permanent shun:
02-04-2018 08:45 AM
Hi jvalentine
Thanks for the interesting input of your Scanner Blocking via DAG.
I've got one question about it though: What is the process for getting tagged Source-IPs untagged (to get them unblocked)?
Thanks
Andi
02-05-2018 11:27 AM
I've actually got a TAC case open right now for Log Forwarding. I had one open for Auto Tagging but I ended up abandoning the implementation I was needing it for and going with something else.
For the log forwarding, it's almost as if the filter builder isn't fully featured. I've implemented filters that show results in the filter test but then never forward anything (mine is set up to fire emails off on Correlation Event matches). I've had other times where a filter built in the standard Threat Monitor tab will then not show the same results when I try it in the filter test for the Log Forwarder.
I'm on 8.0.7 on Panorama with our firewalls running 7.1.14. I'm upgrading the firewalls later this week but I'm not sure the upgrade will make any difference since the Log Forwarding is actually configured on Panorama.
02-05-2018 02:13 PM
02-06-2018 06:18 AM
Hi,
thanks for the reply.
I have to say as for a process I am more looking for some automatic mechanism: Something like a "ageing out".
I guess it could be done using MineMeld.
Best Regards
Andi
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
