Customize the Action and Trigger Conditions for a Brute Force
The firewall includes two types of predefined brute force signatures—parent signatures and child signatures. A child signature is a single occurrence of a traffic pattern that matches the signature. A parent signature is associated with a child signature and is triggered when multiple events occur within a specified time interval and that matches the traffic pattern defined in the child signature.
Typically, the default action for a child signature is
allowbecause a single event is not indicative of an attack. This ensures that legitimate traffic is not blocked and avoids generating threat logs for non-noteworthy events. Palo Alto Networks recommends that you do not change the default action without careful consideration.
In most cases, the brute force signature is a noteworthy event due to its recurrent pattern. If needed, you can do one of the following to customize the action for a brute-force signature:
- Create a rule to modify the default action for all signatures in the brute force category. You can choose to allow, alert, block, reset, or drop the traffic.
- Define an exception for a specific signature. For example, you can search for and define an exception for a CVE.
For a parent signature, you can modify both the trigger conditions and the action; for a child signature, you can modify only the action.
To effectively mitigate an attack, specify the block-ip address action instead of the drop or reset action for most brute force signatures.
- Create a new Vulnerability Protection profile.
- SelectandObjectsSecurity ProfilesVulnerability ProtectionAdda profile.
- Enter aNamefor the Vulnerability Protection profile.
- (Optional) Enter aDescription.
- (Optional) Specify that the profile isSharedwith:
- Every virtual system (vsys) on a multi-vsys firewall—If cleared (disabled), the profile is available only to the Virtual System selected in theObjectstab.
- Every device group on Panorama—If cleared (disabled), the profile is available only to the Device Group selected in theObjectstab.
- (Optional—Panorama only) SelectDisable overrideto prevent administrators from overriding the settings of this Vulnerability Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
- Create a rule that defines the action for all signatures in a category.
- On theRulestab,Addand enter aRule Namefor a new rule.
- (Optional) Specify a specific threat name (default isany).
- Set theAction. In this example, it is set toBlock IP.If you set a Vulnerability Protection profile to Block IP, the firewall first uses hardware to block IP addresses. If attack traffic exceeds the blocking capacity of the hardware, the firewall then uses software blocking mechanisms to block the remaining IP addresses.
- (Optional) If blocking, specify theHost Typeon which to block:serverorclient(default isany).
- See Step 3 to customize the action for a specific signature.
- See Step 4 to customize the trigger threshold for a parent signature.
- ClickOKto save the rule and the profile.
- (Optional) Customize the action for a specific signature.
- On theExceptionstab,Show all signaturesto find the signature you want to modify.To view all the signatures in the brute-force category, search forcategory contains 'brute-force'.
- To edit a specific signature, click the predefined default action in the Action column.
- Set the action:Allow,Alert,Block Ip, orDrop. If you selectBlock Ip, complete these additional tasks:
- Specify theTimeperiod (in seconds) after which to trigger the action.
- Specify whether toTrack Byand block the IP address using theIP sourceor theIP source and destination.
- For each modified signature, select the check box in theEnablecolumn.
- Customize the trigger conditions for a parent signature.A parent signature that can be edited is marked with this icon: .In this example, the search criteria was brute force category and CVE-2008-1447.
- Edit ( ) the time attribute and the aggregation criteria for the signature.
- To modify the trigger threshold, specify theNumber of Hitsper number ofseconds.
- Specify whether to aggregate the number of hits (Aggregation Criteria) bysource,destination, orsource-and-destination.
- Attach this new profile to a Security policy rule.
- SelectandPoliciesSecurityAddor modify a Security policy rule.
- On theActionstab, selectProfilesas theProfile Typefor the Profile Setting.
- Select yourVulnerability Protectionprofile.
- Commit your changes.