Step 1: Create Rules Based on Trusted Threat Intelligence Sources

Before you allow and block traffic by application, block traffic from hosts that Palo Alto Networks and trusted third-party sources have proven to be malicious. With an active Threat Prevention license, Palo Alto Networks provides built-in external dynamic lists that contain these malicious IP addresses and that you can use in policy. The lists are compiled and dynamically updated based on the latest threat intelligence.
  1. Block traffic to and from IP addresses that Palo Alto Networks has identified as malicious.
    Why do I need these rules?
    Rule Highlights
    • This rule protects you against IP addresses that Palo Alto Networks has proven to be used almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.
    • One rule blocks outbound traffic to known malicious IP addresses, while another rule blocks inbound traffic to those addresses.
    • Set the external dynamic list
      Palo Alto Networks - Known malicious IP addresses
      as the Destination address for the outbound traffic rule, and as the Source address for the inbound traffic rule.
    • Deny traffic that match these rules.
    • Enable logging for traffic matching these rules so that you can investigate potential threats on your network.
    • Because these rules are intended to catch malicious traffic, they match traffic from any user running on any port.
    bp-malicious-ips.png
  2. Block traffic to and from Bulletproof hosting providers.
    Why do I need these rules?
    Rule Highlights
    • This rule protects you against IP addresses that Palo Alto Networks has shown to belong to Bulletproof hosting providers.
      Bulletproof hosting providers have no or very limited restrictions on content and don’t log events. This makes Bulletproof sites ideal places from which to launch command-and-control (C2) attacks and illegal activity because anything goes and nothing is tracked.
    • One rule blocks outbound traffic to known Bulletproof hosting IP addresses, while another rule blocks inbound traffic to those addresses.
    • Set the external dynamic list
      Palo Alto Networks - Bulletproof IP addresses
      as the Destination address for the outbound traffic rule, and as the Source address for the inbound traffic rule.
    • Deny traffic that match these rules.
    • Enable logging for traffic matching these rules so that you can investigate potential threats on your network.
    • Because these rules are intended to catch malicious traffic, they match traffic from any user running on any port.
    bp-bulletproof-ips.png
  3. Log traffic to and from high-risk IP addresses from trusted threat advisories.
    Why do I need these rules?
    Rule Highlights
    • Although Palo Alto Networks has no direct evidence of the maliciousness of the IP addresses in the high-risk IP address feed, you should monitor these IP addresses since threat advisories have linked them to malicious behavior.
    • You can use these rules to filter your Traffic logs and decide whether to block high-risk IP addresses based on the log activity.
    • One rule logs outbound traffic to high-risk IP addresses, while another rule logs inbound traffic to those addresses.
    • Set the external dynamic list
      Palo Alto Networks - High risk IP addresses
      as the Destination address for the outbound traffic rule, and as the Source address for the inbound traffic rule.
    • Allow access for traffic matching this rule, but enable logging so that you can investigate a potential threat on your network.
    • Because this rule is intended to catch malicious traffic, it matches to traffic from any user running on any port.
    bp-high-risk-ips.png
  4. (
    MineMeld users only
    ) Block traffic from inbound IP addresses that trusted third-party feeds have identified as malicious.
    Why do I need this rule?
    Rule Highlights
    • Block traffic from malicious IP addresses based on block lists compiled by Spamhaus and the Internet Storm Center, a branch of the SANS Institute. The lists contain IP addresses that attackers use to spread malware, Trojans, and botnets, and to carry out large-scale infrastructure attacks.
    • To enforce this rule:
      1. Use MineMeld to forward the IP addresses from the following sources (known as miners in MineMeld), spamhaus.DROP, spamhaus.EDROP, and dshield.block, to an external dynamic list
      2. Configure the firewall to access an ExternalDynamicList, using the URL that MineMeld provides for the list.
      3. Set the external dynamic list as the Source address for the rule.
    • Use the
      Drop
      Action to silently drop the traffic without sending a signal to the client or the server.
    • Enable logging for traffic matching this rule so that you can investigate misuse of applications and potential threats on your network.
    • Because this rule is intended to catch malicious traffic, it matches to traffic from any user running on any port.
    bp-minemeld-ips.png

Related Documentation