Focus

Advanced Threat Prevention

Customize the Action and Trigger Conditions for a Brute Force Signature

Table of Contents

Customize the Action and Trigger Conditions for a Brute Force Signature

Where Can I Use This?	What Do I Need?
NGFW	Advanced Threat Prevention or Threat Prevention License

The firewall includes two types of predefined brute force signatures—parent signatures and child signatures. A child signature is a single occurrence of a traffic pattern that matches the signature. A parent signature is associated with a child signature and is triggered when multiple events occur within a specified time interval and that matches the traffic pattern defined in the child signature.

Typically, the default action for a child signature is allow because a single event is not indicative of an attack. This ensures that legitimate traffic is not blocked and avoids generating threat logs for non-noteworthy events. Palo Alto Networks recommends that you do not change the default action without careful consideration.

In most cases, the brute force signature is a noteworthy event due to its recurrent pattern. If needed, you can do one of the following to customize the action for a brute-force signature:

Create a rule to modify the default action for all signatures in the brute force category. You can choose to allow, alert, block, reset, or drop the traffic.

Define an exception for a specific signature. For example, you can search for and define an exception for a CVE.

For a parent signature, you can modify both the trigger conditions and the action; for a child signature, you can modify only the action.

To effectively mitigate an attack, specify the block-ip address action instead of the drop or reset action for most brute force signatures.

Create a new Vulnerability Protection profile.

Select

Objects

Security Profiles

Vulnerability Protection

and

Add

a profile.

Enter a

Name

for the Vulnerability Protection profile.

(Optional) Enter a

Description

(Optional) Specify that the profile is

Shared

with:

Every virtual system (vsys) on a multi-vsys firewall
—If cleared (disabled), the profile is available only to the Virtual System selected in the

Objects

tab.

Every device group on Panorama
—If cleared (disabled), the profile is available only to the Device Group selected in the

Objects

tab.

(Optional—Panorama only) Select

Disable override

to prevent administrators from overriding the settings of this Vulnerability Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.

Create a rule that defines the action for all signatures in a category.

On the

Rules

tab,

Add

and enter a

Rule Name

for a new rule.

(Optional) Specify a specific threat name (default is

any

Set the

Action

. In this example, it is set to

Block IP

If you set a Vulnerability Protection profile to Block IP, the firewall first uses hardware to block IP addresses. If attack traffic exceeds the blocking capacity of the hardware, the firewall then uses software blocking mechanisms to block the remaining IP addresses.

Set

Category

brute-force

(Optional) If blocking, specify the

Host Type

on which to block:

server

client

(default is

any

See Step 3 to customize the action for a specific signature.

See Step 4 to customize the trigger threshold for a parent signature.

Click

to save the rule and the profile.

(Optional) Customize the action for a specific signature.

On the

Exceptions

tab,

Show all signatures

to find the signature you want to modify.

To view all the signatures in the brute-force category, search for

category contains 'brute-force'

To edit a specific signature, click the predefined default action in the Action column.

Set the action:

Allow

Alert

Block Ip

, or

Drop

. If you select

Block Ip

, complete these additional tasks:

Specify the

Time

period (in seconds) after which to trigger the action.

Specify whether to

Track By

and block the IP address using the

IP source

or the

IP source and destination

Click

For each modified signature, select the check box in the

Enable

column.

Click

Customize the trigger conditions for a parent signature.

A parent signature that can be edited is marked with this icon:

In this example, the search criteria was brute force category and CVE-2008-1447.

Edit (

) the time attribute and the aggregation criteria for the signature.

To modify the trigger threshold, specify the

Number of Hits

per number of

seconds

Specify whether to aggregate the number of hits (

Aggregation Criteria

) by

source

destination

, or

source-and-destination

Click

Attach this new profile to a Security policy rule.

Select

Policies

Security

and

Add

or modify a Security policy rule.

On the

Actions

tab, select

Profiles

as the

Profile Type

for the Profile Setting.

Select your

Vulnerability Protection

profile.

Click

Commit your changes.

Click

Commit

Prevent Brute Force Attacks

Enable Evasion Signatures