Zone Protection Profile - testing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Zone Protection Profile - testing

L3 Networker

I've setup a Zone Protection network profile and applied it to our DMZ zone.  I changed the default for port scan on the Reconaissance Protection tab to 30 events in 3 seconds.  TCP port scan is enabled, and the action is set to block-IP.

 

I run a test by scanning a host in the DMZ, 10,000 ports in 166 sec.  That's a rate of ~ 60 port / sec, and it should have triggered the ZP profile, but didn't.

 

Do security policies take precedence over ZP, or vice versa?

20 REPLIES 20

Hi BPry,

 

Hmm session limit, that should have been a clue...  🙂  Yes I was testing the policy on the DMZ.  I'll raise the session count and test again.  Thanks again for helping me out, it's very much appreciated.

BPry,

 

This is amazing.  Already 4 flood events logged in 15 minutes or so...  I'm putting these guys in my EDL by hand, for now.  It'll be tricky to be patient enough to build a good baseline.

 

 

floods.png

If you're adding all of them to an EDL you have a good reason to upgrade to PAN-OS 8. With the new features in the llg forwarding profile settings you could easy automate what you're now doing manually and the EDL.

But this is a point where you have to be careful, because floods from spoofed IP addresses, could let you block IPs from legimate addresses.

Hi vsys_remo,

 

Good to know.  Unfortunately upgrading to 8.x is not in the cards for now.

@LucaMarchiori,

I would look into incorporating MineMeld into the mix then. Doing it manually will get kind of boring, so the more you can automate the process the better. Flood IPs I generally specify that they need to be introduced x amount of times before they'll be blocked. 

Hi BPry,

 

I hear you.  Actually I've already setup a syslog miner node on MineMeld.  The node is getting the logs just fine, but I'm having some trouble figuring out the correct syntax for the rules.

 

I have a separate thread going on here:

 

https://live.paloaltonetworks.com/t5/MineMeld-Discussions/syslog-miner-please-check-rule-syntax/m-p/...

 

Would you be willing to share what rules you are using on MineMeld, since you obviously have already figured this out. 🙂

  • 7026 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!