Network blocking and detecting capabilities in case of similar abnormal symptoms traffic

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Network blocking and detecting capabilities in case of similar abnormal symptoms traffic

L3 Networker

Hello all,

Hope you are doing well.

Our customer who is using PA3220 experienced external public IP blockage due to abnormal symptoms traffic.


Upon investigation, it was found that a test Linux server installed internally attempted SSH brute force attacks against an unspecified number of external public IPs.


We would like to know if the PaloAlto PA device has any network blocking and detecting capabilities in case of similar abnormal symptoms traffic.


Although it seems that PaloAlto can sufficiently detect abnormal traffic if one client attempts to SSH connect (attack) to an unspecified number of others, we cannot find any logs or alarms related to the symptoms.



Community Team Member

Hi @JoHyeonJae ,


To enforce protection against brute force attacks make sure to attach the Vulnerability Protection profile to a Security policy rule.

See Set Up Antivirus, Anti-Spyware, and Vulnerability Protection

Install content updates that include new signatures to protect against emerging threats. See Install Content and Software Updates.


You can have all the security profiles in the world... if you don't apply them to your policy they won't protect you (also make sure that you log appropriately).




Kind regards,


LIVEcommunity team member, CISSP
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L3 Networker

Thank you for your response. The customer is already using the Vulnerability Protection Profile. In this case, could you please advise what actions need to be taken for blocking?

L3 Networker


I have a few questions while setting up the Vulnerability Protection Rule.

What does the Duration value mean in the Vulnerability Protection Rule, and what criteria are used to detect and block/detect abnormal traffic?

If the Duration is set to 3600, does the PA device analyze all traffic generated by the Vulnerability Protection Profile during the one-hour period and block the Source IP suspected of brute-force attacks?

Can you explain what criteria the PA device uses to identify traffic suspected of brute-force attacks?

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!