IP blcoking on ip scan

Reply
Highlighted
L3 Networker

IP blcoking on ip scan

I wonder if there is dynamic blocking IP if on short period of time that IP did ip scan or try the same vulnerability attack on our IP range, becuse the attack was once on each policy rule it doesn't reach the vulnerability protection limit for blocking the IP.

 

So if the monitor logs show the same IP on diffrerent policy rules in short period it will do IP block for 30/60 min.

 

maybe I miss something or it is something they can think about on new versions.

 

Thank you

SShnap


Accepted Solutions
Highlighted
L5 Sessionator

Re: IP blcoking on ip scan

Understood, in which case Zone Protection and/or DoS Protection would be the appropriate features to leverage.

View solution in original post


All Replies
Highlighted
L5 Sessionator

Re: IP blcoking on ip scan

Some Threat IDs such as Brute Force related signatures do block based on time attributes.  Multiple examples are listed in the following article.

 

https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/Brute-Force-Signature-and-Related...

 

Also, the Reconnaisance Protection section of a Zone Protection profile can enforce blocking based on scan activity as can DoS Protection as well.  More info can be found here.

 

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?atta...

Highlighted
L6 Presenter

Re: IP blcoking on ip scan

Depending on how the scan was performed, it could have also triggered Host Sweep, TCP Port Scan or UDP Port Scan Reconnaissance protections in Zone Protection. Check the Threat Logs for any entries related to type (if i remember correctly) 'scan'.

 

If the activity triggered a Network Flood protection you would find Threat Log entries with log type 'flood'.

Highlighted
L3 Networker

Re: IP blcoking on ip scan

thank you for the reply

I'm femilier with "Brute Force Signature" but it only block IP when they hit the same policy rule or same destination according to out you configure (10 times for 60 sec).

It's not working when attacker is doing the same attack on IP range so he hits one or twice on each IP and the rule isn't sense that traffic to alert or block.

 

Highlighted
L5 Sessionator

Re: IP blcoking on ip scan

Understood, in which case Zone Protection and/or DoS Protection would be the appropriate features to leverage.

View solution in original post

Highlighted
L3 Networker

Re: IP blcoking on ip scan

OK I will try to enable the zone protection on the DMZ and track the logs.

I enable flood protection SYN, ICMP, UDP, Other IP, increase the activate threshold so I can get alerting without activating the drop action.

Under Reconnaissance protection I enable all three and set the action to alert.

I also enable the packet based attack protection as best practice followed:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/best-practices-for...

hope to see result after tuning.

Thank you all

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!