This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Network blocking and detecting capabilities in case of similar abnormal symptoms traffic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Network blocking and detecting capabilities in case of similar abnormal symptoms traffic

JoHyeonJae
L3 Networker

‎05-08-2023 07:48 PM

Hello all,

Hope you are doing well.

Our customer who is using PA3220 experienced external public IP blockage due to abnormal symptoms traffic.

 

Upon investigation, it was found that a test Linux server installed internally attempted SSH brute force attacks against an unspecified number of external public IPs.

 

We would like to know if the PaloAlto PA device has any network blocking and detecting capabilities in case of similar abnormal symptoms traffic.

 

Although it seems that PaloAlto can sufficiently detect abnormal traffic if one client attempts to SSH connect (attack) to an unspecified number of others, we cannot find any logs or alarms related to the symptoms.

Thanks,

0 Likes Likes
3 REPLIES 3

kiwi
Community Team Member

‎05-09-2023 01:44 AM

Hi @JoHyeonJae ,

 

To enforce protection against brute force attacks make sure to attach the Vulnerability Protection profile to a Security policy rule.

See Set Up Antivirus, Anti-Spyware, and Vulnerability Protection

 
 
Install content updates that include new signatures to protect against emerging threats. See Install Content and Software Updates.
 

 

You can have all the security profiles in the world... if you don't apply them to your policy they won't protect you (also make sure that you log appropriately).

 

kiwi_0-1683621798318.png

 

Kind regards,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

JoHyeonJae
L3 Networker

‎05-09-2023 05:45 PM

@kiwi 
Thank you for your response. The customer is already using the Vulnerability Protection Profile. In this case, could you please advise what actions need to be taken for blocking?

0 Likes Likes

JoHyeonJae
L3 Networker

‎05-09-2023 07:14 PM

@kiwi 

I have a few questions while setting up the Vulnerability Protection Rule.

What does the Duration value mean in the Vulnerability Protection Rule, and what criteria are used to detect and block/detect abnormal traffic?

If the Duration is set to 3600, does the PA device analyze all traffic generated by the Vulnerability Protection Profile during the one-hour period and block the Source IP suspected of brute-force attacks?

Can you explain what criteria the PA device uses to identify traffic suspected of brute-force attacks?
Thanks,

0 Likes Likes
  • 1034 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks