Customize the Action and Trigger Conditions for a Brute Force Signature
The firewall includes two types of predefined brute force signatures—parent signatures and child signatures. A child signature is a single occurrence of a traffic pattern that matches the signature. A parent signature is associated with a child signature and is triggered when multiple events occur within a specified time interval and that matches the traffic pattern defined in the child signature.
Typically, the default action for a child signature is allow because a single event is not indicative of an attack. This ensures that legitimate traffic is not blocked and avoids generating threat logs for non-noteworthy events. Palo Alto Networks recommends that you do not change the default action without careful consideration.
In most cases, the brute force signature is a noteworthy event due to its recurrent pattern. If needed, you can do one of the following to customize the action for a brute-force signature:
- Create a rule to modify the default action for all signatures in the brute force category. You can choose to allow, alert, block, reset, or drop the traffic.
- Define an exception for a specific signature. For example, you can search for and define an exception for a CVE.
For a parent signature, you can modify both the trigger conditions and the action; for a child signature, you can modify only the action.
To effectively mitigate an attack, specify the block-ip address action instead of the drop or reset action for most brute force signatures.
- Create a new Vulnerability Protection profile.
- Select ObjectsSecurity ProfilesVulnerability Protection and Add a profile.
- Enter a Name for the Vulnerability Protection profile.
- (Optional) Enter a Description.
- (Optional) Specify that the profile is Shared with:
- Every virtual system (vsys) on a multi-vsys firewall—If cleared (disabled), the profile is available only to the Virtual System selected in the Objects tab.
- Every device group on Panorama—If cleared (disabled), the profile is available only to the Device Group selected in the Objects tab.
- (Optional—Panorama only) Select Disable override to prevent administrators from overriding the settings of this Vulnerability Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
- Create a rule that defines the action for all signatures
in a category.
- On the Rules tab, Add and enter a Rule Name for a new rule.
- (Optional) Specify a specific threat name (default is any).
- Set the Action. In this example,
it is set to Block IP.If you set a Vulnerability Protection profile to Block IP, the firewall first uses hardware to block IP addresses. If attack traffic exceeds the blocking capacity of the hardware, the firewall then uses software blocking mechanisms to block the remaining IP addresses.
- Set Category to brute-force.
- (Optional) If blocking, specify the Host Type on which to block: server or client (default is any).
- See Step 3 to customize the action for a specific signature.
- See Step 4 to customize the trigger threshold for a parent signature.
- Click OK to save the rule and the profile.
Customize the action for a specific signature.
- On the Exceptions tab, Show
all signatures to find the signature you want to modify.To view all the signatures in the brute-force category, search for category contains 'brute-force'.
- To edit a specific signature, click the predefined default action in the Action column.
- Set the action: Allow, Alert, Block
Ip, or Drop. If you select Block
Ip, complete these additional tasks:
- Specify the Time period (in seconds) after which to trigger the action.
- Specify whether to Track By and block the IP address using the IP source or the IP source and destination.
- Click OK.
- For each modified signature, select the check box in the Enable column.
- Click OK.
- On the Exceptions tab, Show all signatures to find the signature you want to modify.
the trigger conditions for a parent signature.A parent signature that can be edited is marked with this icon: .In this example, the search criteria was brute force category and CVE-2008-1447.
- Edit ( ) the time attribute and the aggregation criteria for the signature.
- To modify the trigger threshold, specify the Number of Hits per number of seconds.
- Specify whether to aggregate the number of hits (Aggregation Criteria) by source, destination, or source-and-destination.
- Click OK.
- Attach this new profile to a Security policy rule.
- Select PoliciesSecurity and Add or modify a Security policy rule.
- On the Actions tab, select Profiles as the Profile Type for the Profile Setting.
- Select your Vulnerability Protection profile.
- Click OK.
- Commit your changes.
- Click Commit.
Prevent Brute Force Attacks
Prevent Brute Force Attacks A brute force attack uses a large volume of requests/responses from the same source or destination IP address to break into ...
Objects > Security Profiles > Vulnerability Protection
Objects > Security Profiles > Vulnerability Protection A Security policy rule can include specification of a Vulnerability Protection profile that determines the level of protection ...
Create Threat Exceptions
Create Threat Exceptions Palo Alto Networks defines a recommended default action (such as block or alert) for threat signatures. You can use a threat ID ...
Create the Data Center Best Practice Vulnerability Protecti...
Protect your data center from attacks such as buffer overflows, illegal code execution, and other attempts to exploit vulnerabilities. ...
Monitor Block List
Monitor Block List There are two ways you can cause the firewall to place an IP address on the block list: Configure a Vulnerability Protection ...
Objects > Custom Objects > Spyware/Vulnerability
Objects > Custom Objects > Spyware/Vulnerability The firewall supports the ability to create custom spyware and vulnerability signatures using the firewall threat engine. You can ...
Threat Prevention The Palo Alto Networks® next-generation firewall protects and defends your network from commodity threats and advanced persistent threats (APTs). The multi-pronged detection mechanisms ...
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule for detecting connections initiated by spyware and ...
Actions in Security Profiles
Actions in Security Profiles The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo ...