This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

How to block traffic from a specific ASN using DAG

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to block traffic from a specific ASN using DAG

Layne-Corbett
L0 Member

‎07-10-2025 08:05 AM

I could use some assistance since AI sucks and gives you the wrong info.

 

Here's what I would like to do, we already geoblock but I need to block malicious traffic (multible IP ranges) that's associated with a specific ASN.  I've tried creating a dynamic address group with the following match criteria:  'ip.src.asnum AS14956'.  I initially tried it without the AS in front of the number, but when I check, there are not IP ranges in the group.  When I googled it initially, AI said to use ip.geoip.asnum but when it errored out and I google some more found that it was replaced with ip.src.asnum which is what I'm using as the match criteria.

 

Since documentation is not very good for what match criteria can be used, can someone please help me with this because I would also like to block all the scans from "shadowservers" and they have a ton of IP's as well.

0 Likes Likes
1 REPLY 1

BPry
Cyber Elite
Cyber Elite

‎07-16-2025 02:37 PM

@Layne-Corbett,

You could use something like this https://iserv.nl/files/edl/feed.php if you didn't want to build out my own way of doing this via a script and an EDL that the firewall pulls. Personally, I would highly recommend building it out yourself so that you aren't dependent on some random resource online and you can customize it to your own liking. 

You could utilize something like https://api.bgpview.io/asn/14956/prefixes for collecting the addresses and then feed them in as an EDL after (ideally) doing some validation to make sure that you aren't going to break things. 

 

It looks like AI pulled together some dynamic tags that would come into play if you had VM information sources configured and actively monitored. I've never once seen any reference to ip.src.asnum or ip.geoip.asnum in PAN-OS and the only thing I can find is AI generation when looking for them. This appears to be a complete hallucination and it has you going down a very incorrect path. 

 

0 Likes Likes
  • 911 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks