- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-09-2022 08:18 AM
Hi All,
When Palo alto firewall detects a vulnerability ( in the ACC tab, threats widget ), what does it mean exactly?
( The source IP is private IP and destination is a public IP )
1.Does it mean that the server is infected and is sending out traffic to some malicious IP.
2.Does it mean that the server is not infected but it contains software which could be exploited via the vulnerability detected.
3.Or it means something else totally?
03-10-2022 07:39 AM
It means 4.The PaloAlto has detected traffic which it has categorized as a threat. This may be an actual threat, or it may be a false alert, you need to look deeper at the logging to determine what exactly it is alerting on and whether it was blocked/connection reset or was just an alert (depending on the type and severity of the alert, different actions can occur). Since you say this is from an internal IP to an external IP, this could be malware calling home, "bad" or suspect DNS requests, attempts to compromise external addresses, or something that was just misidentified as such.
Start by going to the logs at Monitor -> Threat and look at the details of the individual threat detections. It may indicate a particular malware/virus/etc. with links to a ThreatID number with more information. Or it may be something benign that is just being alerted to. For example: A alert log that a workstation is doing DNS lookups of a domain associated with malware. Or one we frequently get, "HTTP Unauthorized Brute Force Attack" logs where in the morning a client window has been left open to a website and the user auth has expired, the user attempts to refresh the page which results in a string of 401 Unauthorized server responses which the PaloAlto misidentifies as an attempt to brute force user login.
03-10-2022 01:11 AM
Can anyone help on this ?
03-10-2022 07:39 AM
It means 4.The PaloAlto has detected traffic which it has categorized as a threat. This may be an actual threat, or it may be a false alert, you need to look deeper at the logging to determine what exactly it is alerting on and whether it was blocked/connection reset or was just an alert (depending on the type and severity of the alert, different actions can occur). Since you say this is from an internal IP to an external IP, this could be malware calling home, "bad" or suspect DNS requests, attempts to compromise external addresses, or something that was just misidentified as such.
Start by going to the logs at Monitor -> Threat and look at the details of the individual threat detections. It may indicate a particular malware/virus/etc. with links to a ThreatID number with more information. Or it may be something benign that is just being alerted to. For example: A alert log that a workstation is doing DNS lookups of a domain associated with malware. Or one we frequently get, "HTTP Unauthorized Brute Force Attack" logs where in the morning a client window has been left open to a website and the user auth has expired, the user attempts to refresh the page which results in a string of 401 Unauthorized server responses which the PaloAlto misidentifies as an attempt to brute force user login.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!