Threat blocked by Palo Alto: Is there anything else to do?

Reply
Highlighted
L1 Bithead

Threat blocked by Palo Alto: Is there anything else to do?

Hi,

 

When the Palo Alto blocks a communication that is flags as a threat (ie: SQL Injection, XSS, etc.), should we investigate the target IP to make sure that the threat was blocked? The reason I'm asking is that whenever the Palo Alto blocks an attack from an IP address (Session End Reason is "threat"), if we go in the "Traffic" view, we can see that not all the communications with that offending IP were terminated with a "threat" reason. Some of them are terminated by "tcp-rst-from-client" or "tcp-rst-both". In that case, I'm wondering if part of the attack (or payload) could have gone through to the destination IP before the Palo Alto stopped it. Are these connections expected and there should be nothing to worry about, or should we still investigate?

 

Thank you.

Highlighted
L1 Bithead

Re: Threat blocked by Palo Alto: Is there anything else to do?

Bump.

 

Should I just create a ticket and ask that question to the support directly...?

Highlighted
Cyber Elite

Re: Threat blocked by Palo Alto: Is there anything else to do?

Hello,

I would investigate, but it doesnt mean that thigns were compromised. It could have just been a scan and some of the traffic was allowed and some got blocked. While not always a good indicator, you have to look at all the traffic holistically, I look at the amount of data transferred, was it a large amount or small.

 

Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!