This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

vulnerability block action

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

vulnerability block action

Go to solution
PanIst
L3 Networker

‎09-18-2014 06:29 AM

Hi,

when creating a profile choosing block action is seen as "reset-both" on the logs.

is that normal behaviour or not ? Thanks.

just_one_rule.png

logsrelated.png

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
pulukas
L7 Applicator

‎09-18-2014 08:08 AM

PA should probably update the help file for these vulnerability options.  The wording is ambiguous and I assume that block was a drop and not a reset action.

Action

Choose the action (Alert, Allow, Default, or Block) to take when the rule is triggered. The Default action is based on the pre-defined action that is part of each signature provided by Palo Alto Networks. To view the default action for a signature, navigate to Objects > Security Profiles > Vulnerability Protection and click Add or select an existing profile. Click the Exceptions tab and then click Show all signatures. A list of all signatures will displayed and you will see an Action column.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

0 Likes Likes
10 REPLIES 10

Go to solution
HULK
L7 Applicator

‎09-18-2014 07:55 AM

Hello Panlst,

This is an expected behavior. In this case, the PAN firewall blocked that Vulnerability and send TCP RST packet to both parties ( Server and client) to close the connection.

Thanks

Go to solution
pulukas
L7 Applicator

‎09-18-2014 08:08 AM

PA should probably update the help file for these vulnerability options.  The wording is ambiguous and I assume that block was a drop and not a reset action.

Action

Choose the action (Alert, Allow, Default, or Block) to take when the rule is triggered. The Default action is based on the pre-defined action that is part of each signature provided by Palo Alto Networks. To view the default action for a signature, navigate to Objects > Security Profiles > Vulnerability Protection and click Add or select an existing profile. Click the Exceptions tab and then click Show all signatures. A list of all signatures will displayed and you will see an Action column.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

Go to solution
HULK
L7 Applicator

‎09-18-2014 08:08 AM

Hello Panlst,


As per the screenshots attached in this discussion thread, the firewall identifies the vulnerability with threat ID: 35107


Vulnerability-reset-action-1.jpg

If you check the default action of this Vulnerability signature, is to reset the connection.


Hope this helps.


Thanks

0 Likes Likes

Go to solution
pulukas
L7 Applicator
In response to HULK

‎09-18-2014 08:21 AM

But PanLst is choosing "Block" not "Default" for the action.

The help file does not specify which action occurs with "Block" drop or reset.  Are you saying above that the action is reset both? 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Go to solution
PanIst
L3 Networker
In response to HULK

‎09-19-2014 12:25 AM

but we choose block not default.There is something wrong here.Block = reset both

0 Likes Likes

Go to solution
HULK
L7 Applicator
In response to PanIst

‎09-19-2014 08:08 AM

Hello Panlst,

My apologies, i understand it wrongly. You are correct, As per the DOC: Vulnerability Profile Actions  if traffic is hitting this vulnerability-protection rule, it should simply drop all packets for that session.

Could you please provide a snapshot of the traffic logs and security rule, just to confirm  the vulnerability rule "ALL" applied to the correct policy.

Thanks

0 Likes Likes

Go to solution
panos
L6 Presenter
In response to HULK

‎09-26-2014 01:58 PM

Hi HULK;

I replicated that.

Here are the screens.I think there is something wrong with definitions or explanations.

4.png

3.png2.png1.png

0 Likes Likes

Go to solution
kfindlen
L4 Transporter
In response to panos

‎09-26-2014 02:21 PM

The default action is defined by Palo Alto Networks on a per-threat basis as either alert or block.

Every vulnerability has a "block" behavior.  Some block behaviors send a reset to the server or client, or in this case, both.  For this example the default action is block, and the block behavior is reset-both.  Even though the action being taken is block, the threat log will show the block behavior that was used to terminate the session under the action column.

Quick edit:

If you want to change the "block" behavior for a threat, you must configure an exception.

0 Likes Likes

Go to solution
panos
L6 Presenter
In response to kfindlen

‎09-26-2014 02:25 PM

Thanks for answer.

So block behaviour should be added somewhere on the guides as definiton also I think.

0 Likes Likes

Go to solution
Aryanto
L1 Bithead
In response to pulukas

‎12-31-2022 01:20 AM

It's hard form me make Definition to any of this Threat ID, Like XMRig Miner Command and Control Traffic Detection(85886) or MVPower DVR Shell Unauthenticated Command Execution Vulnerability(57566).
 Do you have any guide or E-Book for make any definition of Threat ID.

0 Likes Likes
  • 1 accepted solution
  • 6975 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks