Steve Borba

My notes, I hope they help you, feel free to comment/add to them

Auto Block

A customer ask me if the PAN could automatically block an IP address if it triggers a threat log. At first I started to think that I could do it through an EDL and use Elastic Stack, but then I remembered the built-in actions on a log forwarding profile – that’s way easier.

I decided to take a look to see what filter I could use to choose the source IPs. I landed on this because I had some TCP fast opens from 1.1.1.1 on odd ports, and I don’t want to start blocking 1.1.1.1.

zone.src eq Outside and !(severity eq informational and app eq not-applicable)

Next we go add this to the logging profile and add a new match list and built-in action to add a tag to the source ip that times out after how ever long we want to put the IP in timeout.

Then we create the dynamic group for it

Then we add that group to the block rules we probably already have

I waited about an hour and I had my my first hit

if you don’t have that much patience, you can also test it out

debug object registered-ip test register tag AutoBlock ip 192.0.2.1
clear auto-tag ip 192.0.2.1 tag-dest AutoBlock registration localhost tags AutoBlock

One response to “Auto Block”

  1. T.S. says:

    Very cool Steve! I got to try this out!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>