IP blcoking on ip scan

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IP blcoking on ip scan

L3 Networker

I wonder if there is dynamic blocking IP if on short period of time that IP did ip scan or try the same vulnerability attack on our IP range, becuse the attack was once on each policy rule it doesn't reach the vulnerability protection limit for blocking the IP.

 

So if the monitor logs show the same IP on diffrerent policy rules in short period it will do IP block for 30/60 min.

 

maybe I miss something or it is something they can think about on new versions.

 

Thank you

SShnap

1 accepted solution

Accepted Solutions

Understood, in which case Zone Protection and/or DoS Protection would be the appropriate features to leverage.

View solution in original post

5 REPLIES 5

L5 Sessionator

Some Threat IDs such as Brute Force related signatures do block based on time attributes.  Multiple examples are listed in the following article.

 

https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/Brute-Force-Signature-and-Related...

 

Also, the Reconnaisance Protection section of a Zone Protection profile can enforce blocking based on scan activity as can DoS Protection as well.  More info can be found here.

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?atta...

Depending on how the scan was performed, it could have also triggered Host Sweep, TCP Port Scan or UDP Port Scan Reconnaissance protections in Zone Protection. Check the Threat Logs for any entries related to type (if i remember correctly) 'scan'.

 

If the activity triggered a Network Flood protection you would find Threat Log entries with log type 'flood'.

thank you for the reply

I'm femilier with "Brute Force Signature" but it only block IP when they hit the same policy rule or same destination according to out you configure (10 times for 60 sec).

It's not working when attacker is doing the same attack on IP range so he hits one or twice on each IP and the rule isn't sense that traffic to alert or block.

 

Understood, in which case Zone Protection and/or DoS Protection would be the appropriate features to leverage.

OK I will try to enable the zone protection on the DMZ and track the logs.

I enable flood protection SYN, ICMP, UDP, Other IP, increase the activate threshold so I can get alerting without activating the drop action.

Under Reconnaissance protection I enable all three and set the action to alert.

I also enable the packet based attack protection as best practice followed:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/best-practices-for...

hope to see result after tuning.

Thank you all

 

 

  • 1 accepted solution
  • 9688 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!