I'm curious if anyone has crafted either a vulnerability profile or security policy that would disconnect or auto-block a user if their a vulnerability exploit is attempted while they are connected via Globalprotect. We've set up event logging that can flag and email my team whenever a user starts displaying malicious or compromised behavior when connected via Globalprotect, but we'd like to take it a step further and auto-block and/or disconnect a suspicious user.
How about dynamic IP tagging based on info from threat logs? https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-auto-tagging-to-automate-securi...
In a nutshell, you have a log forwarding profile that hits on whatever threats you want (medium and higher, etc.), and it can do several things: forwards to syslog/panorama/datalake, sends admin an email alert, sends SNMP trap, tags the IP. You will make an address group based on this tag and create a security rule that blocks this traffic, sends to an alert page, etc. The duration of block is determined in the log fwd profile.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!