Threat blocked by Palo Alto: Is there anything else to do?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Threat blocked by Palo Alto: Is there anything else to do?

L1 Bithead



When the Palo Alto blocks a communication that is flags as a threat (ie: SQL Injection, XSS, etc.), should we investigate the target IP to make sure that the threat was blocked? The reason I'm asking is that whenever the Palo Alto blocks an attack from an IP address (Session End Reason is "threat"), if we go in the "Traffic" view, we can see that not all the communications with that offending IP were terminated with a "threat" reason. Some of them are terminated by "tcp-rst-from-client" or "tcp-rst-both". In that case, I'm wondering if part of the attack (or payload) could have gone through to the destination IP before the Palo Alto stopped it. Are these connections expected and there should be nothing to worry about, or should we still investigate?


Thank you.


L1 Bithead



Should I just create a ticket and ask that question to the support directly...?


I would investigate, but it doesnt mean that thigns were compromised. It could have just been a scan and some of the traffic was allowed and some got blocked. While not always a good indicator, you have to look at all the traffic holistically, I look at the amount of data transferred, was it a large amount or small.


Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!