Customize the Action and Trigger Conditions for a Brute Force Signature

The firewall includes two types of predefined brute force signatures—parent signatures and child signatures. A child signature is a single occurrence of a traffic pattern that matches the signature. A parent signature is associated with a child signature and is triggered when multiple events occur within a specified time interval and that matches the traffic pattern defined in the child signature.
Typically, the default action for a child signature is allow because a single event is not indicative of an attack. This ensures that legitimate traffic is not blocked and avoids generating threat logs for non-noteworthy events. Palo Alto Networks recommends that you do not change the default action without careful consideration.
In most cases, the brute force signature is a noteworthy event due to its recurrent pattern. If needed, you can do one of the following to customize the action for a brute-force signature:
  • Create a rule to modify the default action for all signatures in the brute force category. You can choose to allow, alert, block, reset, or drop the traffic.
  • Define an exception for a specific signature. For example, you can search for and define an exception for a CVE.
For a parent signature, you can modify both the trigger conditions and the action; for a child signature, you can modify only the action.
To effectively mitigate an attack, specify the block-ip address action instead of the drop or reset action for most brute force signatures.
  1. Create a new Vulnerability Protection profile.
    1. Select ObjectsSecurity ProfilesVulnerability Protection and Add a profile.
    2. Enter a Name for the Vulnerability Protection profile.
    3. (Optional) Enter a Description.
    4. (Optional) Specify that the profile is Shared with:
      • Every virtual system (vsys) on a multi-vsys firewall—If cleared (disabled), the profile is available only to the Virtual System selected in the Objects tab.
      • Every device group on Panorama—If cleared (disabled), the profile is available only to the Device Group selected in the Objects tab.
    5. (Optional—Panorama only) Select Disable override to prevent administrators from overriding the settings of this Vulnerability Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
  2. Create a rule that defines the action for all signatures in a category.
    1. On the Rules tab, Add and enter a Rule Name for a new rule.
    2. (Optional) Specify a specific threat name (default is any).
    3. Set the Action. In this example, it is set to Block IP.
      If you set a Vulnerability Protection profile to Block IP, the firewall first uses hardware to block IP addresses. If attack traffic exceeds the blocking capacity of the hardware, the firewall then uses software blocking mechanisms to block the remaining IP addresses.
    4. Set Category to brute-force.
    5. (Optional) If blocking, specify the Host Type on which to block: server or client (default is any).
    6. See Step 3 to customize the action for a specific signature.
    7. See Step 4 to customize the trigger threshold for a parent signature.
      vuln-protection-block-rule.PNG
    8. Click OK to save the rule and the profile.
  3. (Optional) Customize the action for a specific signature.
    1. On the Exceptions tab, Show all signatures to find the signature you want to modify.
      To view all the signatures in the brute-force category, search for category contains 'brute-force'.
    2. To edit a specific signature, click the predefined default action in the Action column.
      vuln-protection-signatures.PNG
    3. Set the action: Allow, Alert, Block Ip, or Drop. If you select Block Ip, complete these additional tasks:
      1. Specify the Time period (in seconds) after which to trigger the action.
      2. Specify whether to Track By and block the IP address using the IP source or the IP source and destination.
    4. Click OK.
    5. For each modified signature, select the check box in the Enable column.
    6. Click OK.
  4. Customize the trigger conditions for a parent signature.
    A parent signature that can be edited is marked with this icon: icon-edit-signature.PNG .
    In this example, the search criteria was brute force category and CVE-2008-1447.
    1. Edit ( icon-edit-signature.PNG ) the time attribute and the aggregation criteria for the signature.
    2. To modify the trigger threshold, specify the Number of Hits per number of seconds.
    3. Specify whether to aggregate the number of hits (Aggregation Criteria) by source, destination, or source-and-destination.
    4. Click OK.
  5. Attach this new profile to a Security policy rule.
    1. Select PoliciesSecurity and Add or modify a Security policy rule.
    2. On the Actions tab, select Profiles as the Profile Type for the Profile Setting.
    3. Select your Vulnerability Protection profile.
    4. Click OK.
  6. Commit your changes.
    1. Click Commit.