01-29-2024 02:56 PM
Our Malicious IP Traffic Alert typically registers a few dozen hits a day. However over the last weekend this has suddenly increased to a couple of thousand a day. I cannot see anything different apart from the quantity. The IP addresses are the same or from the same subnet. Should I just leave it or what actions would you suggest.
01-30-2024 02:31 AM
Are you seeing these hits in a security policy. Probably using the PAN "malicious IPs" dynamic address group? Have you tried configuring a "Zone Protection Profile". The default action is alert but you can configure it to drop or even drop for X minutes. If you are being scanned there is not much you can do other than drop the packets. If this was my network I would look at threat logs and try to determine what resource they are attacking. You probably have something exposed that has a vulnerability.
01-30-2024 06:20 AM
Yes they are set up to be dropped and that is working. It has always worked, its just that there has been a sudden and dramatic increase in these types of alerts so I am wondering if there is something else I should be alert to , as you mentioned, something exposed that has piqued some external interest.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
