When the Palo Alto blocks a communication that is flags as a threat (ie: SQL Injection, XSS, etc.), should we investigate the target IP to make sure that the threat was blocked? The reason I'm asking is that whenever the Palo Alto blocks an attack from an IP address (Session End Reason is "threat"), if we go in the "Traffic" view, we can see that not all the communications with that offending IP were terminated with a "threat" reason. Some of them are terminated by "tcp-rst-from-client" or "tcp-rst-both". In that case, I'm wondering if part of the attack (or payload) could have gone through to the destination IP before the Palo Alto stopped it. Are these connections expected and there should be nothing to worry about, or should we still investigate?
I would investigate, but it doesnt mean that thigns were compromised. It could have just been a scan and some of the traffic was allowed and some got blocked. While not always a good indicator, you have to look at all the traffic holistically, I look at the amount of data transferred, was it a large amount or small.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!