cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

Log Forwarding / Dynamic Address List

L3 Networker

Hi,

 

We are trying to use the cool new "built-in actions" / tagging feature available through Log Forwarding to tag source IP addresses that generate high/critical threat events to build a dynamic address list that will ultimately be used in a policy to block offending traffic.

 

We have a PA 3050 which allows up to 5000 dynamic address list entries, and based on a review of the logs we have had about 400 source addresses that would match the above criteria inside the last 2 months; meaning we would reach the max number relatively quickly.

 

We are mostly interested in blocking IP addresses that have tried multiple times in a relatively short space of time, more indicative of a targetted attack rather than a passing scan. e.g. 20 times in the last 15 minutes.

 

I thought I could use the "Repeat Count" field, however this works off the last 5 seconds and so does not catch most of the traffic I see in the logs and am wanting to catch.

 

Then I thought I could do a 3 strikes type approach where it gets tagged with yellow the 1st time, tagged orange if it is seen again and has a tag of yellow, and tagged red if it is seen again and already has a tag of yellow and orange but there appears to be no option to build a filter off existing tags.

 

Has anyone tried to do something similar to what we are looking at? 

 

Really keen to hear others ideas or how they are using the Built-in Actions available under Log Forwarding.

 

Also - for dynamic address lists with a high number of entries, is there any performance hit? The concern is that, for legitimate traffic waiting to hit an allow policy further down the list, does it get held up waiting to match one of 5000 entries in the dynamic address list?

 

Thanks!

Shannon

 

 

 

 

 

 

Who Me Too'd this topic