This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

SIEM posting Botnets , but Firewall do not

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

SIEM posting Botnets , but Firewall do not

F.Pinar
L3 Networker

‎06-29-2026 02:29 PM

We are currently experiencing a situation in which we are receiving requests to our public segment pool. According to a syslog that Palo Alto sends to our SIEM, many of these IP addresses are part of a botnet. However, when we checked Palo Alto, we did not see this information in the traffic log.

 

  • The SIEM/Sentinel is enriching logs received from Palo Alto using Microsoft threat intelligence, allowing it to classify IPs as malicious or part of a botnet even if Palo Alto does not directly identify them as threats.
  • On the firewall, several observed events matched default rules such as Intrazone Default / Interzone Default or policies where not all required security profiles were applied.
  • When a policy does not include profiles such as Anti-Spyware, Vulnerability Protection, and URL Filtering, the firewall may only log normal traffic without generating Threat-type events.
  • Traffic with incomplete or expired sessions was identified, which may indicate that sessions were not fully established, preventing signature-based detection from being triggered.
  • It was confirmed that the Threat Prevention license is active, therefore the analysis should focus on policy configuration, profiles, and lists.
  • It was observed that logging at session start is not recommended as a general practice, as it can generate unnecessary log volume and additional resource consumption. Logging at session end is recommended instead.

 

However, the cliente cannot apply 24 ip address because they do not have an internal server to feed the firewall. My recommendation was to get GITHUB and its raw. Then, we applied as a source , but they firewall did not show up the IPS in question.

 

By any chance that you have any recommendations about it.

 

Any kind of help would be highly cherished.

 

Best Regards,

0 Likes Likes
1 REPLY 1

PavelK
Cyber Elite

‎06-29-2026 04:27 PM - edited ‎06-29-2026 04:44 PM

Hello @F.Pinar

 

thank you for post!

 

It is common to see IP addresses associated with known scanners, attackers, malicious actors in the logs hitting resources that are publicly available. When it comes to security detection you should be looking into Threat logs instead of Traffic logs. In the Threat logs refer to columns: Type, Threat ID/Name, Threat Category. As a basic layer of protection I would recommend to configure a policy with Palo Alto's  built-in EDL lists: Built-in External Dynamic Lists  as a source and destination your public subnet and action deny. With this policy in place you can block know IP addresses based on Palo Alto's threat intelligence before it even gets to signature based inspection.

Additionally, Firewall can only block traffic that can inspect, therefore if you have publicly available services serving HTTPS you should consider to implement Inbound SSL Decryption. Here is a reference: How to Configure SSL Decryption. With Inbound SSL Decryption in place Firewall has a certificate that server has and is able to block traffic based on threat type before it reaches server.

Regarding points you highlighted below are my comments:

 

  • Based on your description I can't rule out any potential misconfiguration in your Firewall. In nutshell known attacker IP addresses might be already included either in this EDL: " Palo Alto Networks Known Malicious IP Addresses" or in this EDL: "Palo Alto Networks High-Risk IP Addresses". Beyond this you will have to make sure that all policies have logging enabled and security profile attached. If Firewall has visibility into traffic with decryption enabled, it can detect threat based in Anti-spyware, Antivirus or Vulnerability protection. None of this gives you however guarantee that Firewall will treat this detection as a part of botnet. Firewall has built-in botnet detection: Monitor > Botnet which detects botnet traffic from inside your organization, not other way around. Also, this feature is available directly in Firewall. You will not find this option in Panorama.
  • This looks expected. Unless there is a specific policy to match traffic, the traffic is going to hit default intrazone-default and interzone-default policies. These rules are effectively catch all polices.
  • That is correct. To make use if all security features make sure to attach security profiles to all policies.
  • Here is the KB with further explanation: Not-Applicable, Incomplete, Insufficient Data in the Application Field. What incomplete means TCP 3 way handshake was either not completed or after 3 way handshake was completed there were no data sent. This is common pattern in scanning / reconnaissance where scanner is probing open ports.
  • That is correct. With Advanced Threat Prevention license you have most of the features to build solid security policy. Advanced URL Filtering, Advanced WildFire and Advanced DNS Security are complementary subscription that can take your security to next level.
  • That is correct. You should avoid to use logging at session start unless you perform troubleshooting. In this case enable it temporarily

 

Regarding your last comment with GitHub, could you provide more information? Palo Alto has hosted EDL with all GitHub IPs: EDL Hosting Service GitHub

 

Thank you and Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 176 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks