For details on cookie usage on our site, read our Privacy Policy
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
Multiple malicious scans from the same source address - can I block IP automatically
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Re: Multiple malicious scans from the same source address - can I block IP automatically
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-28-2017 07:39 AM
Occasionally, I notice that the firewall has been blocking tens or even hundreds of attempts from a single source address for multiple threats. In a case like this, it seems obvious, for someone looking at the logs, that that source IP should have been temporarily blocked and possibly banned, but that does not happen automatically.
We do have some exception in our vulnerability profile that change the action from reset to block-IP, for instance, but this only applies to a specific TID. When you have a host combining say 5 or 10 different exploits in one minute, is there a way to configure the firewall to automatically block the offending IP?
Thanks,
Luca
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-01-2017 09:42 AM
Hi vsys_remo,
I've cloned syslogMiner node in MineMeld, and added (rigth after our Splunk server) the MMeld server to the syslog profile, port UDP 13514. It seems that the new node is not receiving any data. Also attempted creating a separate syslog server profile.
I've been following instructions contained in this doc:
https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262
Luca
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-01-2017 10:30 AM
This now more and more belongs into the minemeld forum;)
You also configured the local firewall (iptables) to allow this traffic and if needed edited the rsyslog.conf file?
Sounds like something similar as in this topic: https://live.paloaltonetworks.com/t5/MineMeld-Discussions/MineMeld-need-help-importing-and-processin...
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-01-2017 10:40 AM - edited 08-01-2017 01:53 PM
Hi vsys_remo,
I agree. I'll post this in the MineMeld forum, if needed. I'd like to thank you and BPry for your help thus far.
Luca
edit: the port was already opened on the ubuntu server, but it's using port TCP 13514, not UDP 13514. 🙂
TCP clearly shows in the doc I linked, I simply missed that.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-14-2019 09:36 AM
@vsys_remo could you please explain how the following can be implemented:
"In PAN-OS 8 you could tag attacking IPs based on specific filters (for example when a critical vulnerability was blocked or even one specific vulnerability). With this tag you are then able to create a dynamic addressgroup and use this group in your policy to drop connections from there completely. "
Thanks.
Ho
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-15-2019 02:23 AM
Anyone know how to tag attacking IPs based on specific filters (for example when a critical vulnerability was blocked or even one specific vulnerability). With this tag you are then able to create a dynamic addressgroup and use this group in your policy to drop connections from there completely.
Thanks,
Ho
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-15-2019 02:43 PM
Hi @ash83
You need to start with a log forwarding profile, there you define a specific filter for the threatlogs (you either filter on the severity or on specific threat ID or something completely different). As action you then choose to tag the source or destination IP (depending on your filter) and assign a Tag to these IPs. After that you create a dynamic address group with the criteria the tag you created for that. From this point you can use the address group in your policy to block connections from or to these IPs.
Hope this helps.
- Automatically resetting preferred Gateway to "Best Available"? in GlobalProtect Discussions
- CLI - Regex with "?" in General Topics
- Virus/Win32.WGeneric.cfzcwn False/Positive? in Threat & Vulnerability Discussions
- Integrate Captive Portal with ADFS using SAML Authentication in General Topics
- Threat Log False Positives in Threat & Vulnerability Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
