Customize the Action and Trigger Conditions for a Brute Force Signature

The firewall includes two types of predefined brute force signatures—parent signatures and child signatures. A child signature is a single occurrence of a traffic pattern that matches the signature. A parent signature is associated with a child signature and is triggered when multiple events occur within a specified time interval and that matches the traffic pattern defined in the child signature.
Typically, the default action for a child signature is
allow
because a single event is not indicative of an attack. This ensures that legitimate traffic is not blocked and avoids generating threat logs for non-noteworthy events. Palo Alto Networks recommends that you do not change the default action without careful consideration.
In most cases, the brute force signature is a noteworthy event due to its recurrent pattern. If needed, you can do one of the following to customize the action for a brute-force signature:
  • Create a rule to modify the default action for all signatures in the brute force category. You can choose to allow, alert, block, reset, or drop the traffic.
  • Define an exception for a specific signature. For example, you can search for and define an exception for a CVE.
For a parent signature, you can modify both the trigger conditions and the action; for a child signature, you can modify only the action.
To effectively mitigate an attack, specify the block-ip address action instead of the drop or reset action for most brute force signatures.
  1. Create a new Vulnerability Protection profile.
    1. Select
      Objects
      Security Profiles
      Vulnerability Protection
      and
      Add
      a profile.
    2. Enter a
      Name
      for the Vulnerability Protection profile.
    3. (
      Optional
      ) Enter a
      Description
      .
    4. (
      Optional
      ) Specify that the profile is
      Shared
      with:
      • Every virtual system (vsys) on a multi-vsys firewall
        —If cleared (disabled), the profile is available only to the Virtual System selected in the
        Objects
        tab.
      • Every device group on Panorama
        —If cleared (disabled), the profile is available only to the Device Group selected in the
        Objects
        tab.
    5. (
      Optional—Panorama only
      ) Select
      Disable override
      to prevent administrators from overriding the settings of this Vulnerability Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
  2. Create a rule that defines the action for all signatures in a category.
    1. On the
      Rules
      tab,
      Add
      and enter a
      Rule Name
      for a new rule.
    2. (
      Optional
      ) Specify a specific threat name (default is
      any
      ).
    3. Set the
      Action
      . In this example, it is set to
      Block IP
      .
      If you set a Vulnerability Protection profile to Block IP, the firewall first uses hardware to block IP addresses. If attack traffic exceeds the blocking capacity of the hardware, the firewall then uses software blocking mechanisms to block the remaining IP addresses.
    4. Set
      Category
      to
      brute-force
      .
    5. (
      Optional
      ) If blocking, specify the
      Host Type
      on which to block:
      server
      or
      client
      (default is
      any
      ).
    6. See Step 3 to customize the action for a specific signature.
    7. See Step 4 to customize the trigger threshold for a parent signature.
      vuln-protection-block-rule.PNG
    8. Click
      OK
      to save the rule and the profile.
  3. (
    Optional
    ) Customize the action for a specific signature.
    1. On the
      Exceptions
      tab,
      Show all signatures
      to find the signature you want to modify.
      To view all the signatures in the brute-force category, search for
      category contains 'brute-force'
      .
    2. To edit a specific signature, click the predefined default action in the Action column.
      vuln-protection-signatures.PNG
    3. Set the action:
      Allow
      ,
      Alert
      ,
      Block Ip
      , or
      Drop
      . If you select
      Block Ip
      , complete these additional tasks:
      1. Specify the
        Time
        period (in seconds) after which to trigger the action.
      2. Specify whether to
        Track By
        and block the IP address using the
        IP source
        or the
        IP source and destination
        .
    4. Click
      OK
      .
    5. For each modified signature, select the check box in the
      Enable
      column.
    6. Click
      OK
      .
  4. Customize the trigger conditions for a parent signature.
    A parent signature that can be edited is marked with this icon: icon-edit-signature.PNG .
    In this example, the search criteria was brute force category and CVE-2008-1447.
    1. Edit ( icon-edit-signature.PNG ) the time attribute and the aggregation criteria for the signature.
    2. To modify the trigger threshold, specify the
      Number of Hits
      per number of
      seconds
      .
    3. Specify whether to aggregate the number of hits (
      Aggregation Criteria
      ) by
      source
      ,
      destination
      , or
      source-and-destination
      .
    4. Click
      OK
      .
  5. Attach this new profile to a Security policy rule.
    1. Select
      Policies
      Security
      and
      Add
      or modify a Security policy rule.
    2. On the
      Actions
      tab, select
      Profiles
      as the
      Profile Type
      for the Profile Setting.
    3. Select your
      Vulnerability Protection
      profile.
    4. Click
      OK
      .
  6. Commit your changes.
    1. Click
      Commit
      .

Related Documentation