I've played with this feature for a while on my own FW, but must be doing something wrong. I'm adding the log forwarding profile, and when checking the filter I make, I get many log lines. But I don't get any output in the DAG. I've tried with threat and traffic logs.
Documentation is rather slim on this topic. Anyone done this with success, that can share with me the details needed to make it work?
I've been successful in using it to provide a "block-ip" action that lasts longer than 3600 seconds. This particular one looks for threat-type eq scan, takes the sources of those who are scanning and tags them with a 'scanners' tag. Next, there's a dynamic address group that matches on tag = scanners. Finally, I have a security policy at the top that blocks all inbound traffic from that dynamic address group. So far it's picked up over 400 scanners and doing a semi-permanent shun:
Thanks for the interesting input of your Scanner Blocking via DAG.
I've got one question about it though: What is the process for getting tagged Source-IPs untagged (to get them unblocked)?
I've actually got a TAC case open right now for Log Forwarding. I had one open for Auto Tagging but I ended up abandoning the implementation I was needing it for and going with something else.
For the log forwarding, it's almost as if the filter builder isn't fully featured. I've implemented filters that show results in the filter test but then never forward anything (mine is set up to fire emails off on Correlation Event matches). I've had other times where a filter built in the standard Threat Monitor tab will then not show the same results when I try it in the filter test for the Log Forwarder.
I'm on 8.0.7 on Panorama with our firewalls running 7.1.14. I'm upgrading the firewalls later this week but I'm not sure the upgrade will make any difference since the Log Forwarding is actually configured on Panorama.
Here is a link to unblock an IP, its via the cli.
thanks for the reply.
I have to say as for a process I am more looking for some automatic mechanism: Something like a "ageing out".
I guess it could be done using MineMeld.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!