Customize the Action and Trigger Conditions for a Brute Force
The firewall includes two types of predefined
brute force signatures—parent signatures and child signatures. A
child signature is a single occurrence of a traffic pattern that
matches the signature. A parent signature is associated with a child
signature and is triggered when multiple events occur within a specified
time interval and that matches the traffic pattern defined in the
Typically, the default action for a child
signature is allow because a single event is not indicative
of an attack. This ensures that legitimate traffic is not blocked
and avoids generating threat logs for non-noteworthy events. Palo
Alto Networks recommends that you do not change the default action
without careful consideration.
In most cases, the brute force
signature is a noteworthy event due to its recurrent pattern. If
needed, you can do one of the following to customize the action
for a brute-force signature:
Create a rule to modify
the default action for all signatures in the brute force category.
You can choose to allow, alert, block, reset, or drop the traffic.
Define an exception for a specific signature. For example,
you can search for and define an exception for a CVE.
a parent signature, you can modify both the trigger conditions and
the action; for a child signature, you can modify only the action.
To effectively mitigate an attack, specify
the block-ip address action instead of the drop or reset action
for most brute force signatures.
Create a new Vulnerability Protection profile.
for the Vulnerability
) Enter a
) Specify that the profile is
Every virtual system (vsys) on a multi-vsys
—If cleared (disabled), the profile is available only
to the Virtual System selected in the
Every device group on Panorama
—If cleared (disabled),
the profile is available only to the Device Group selected in the
to prevent administrators from overriding the
settings of this Vulnerability Protection profile in device groups
that inherit the profile. This selection is cleared by default, which
means administrators can override the settings for any device group
that inherits the profile.
Create a rule that defines the action for all signatures
in a category.
for a new rule.
) Specify a specific threat name
. In this example,
it is set to
If you set a Vulnerability Protection profile to
Block IP, the firewall first uses hardware to block IP addresses.
If attack traffic exceeds the blocking capacity of the hardware,
the firewall then uses software blocking mechanisms to block the
remaining IP addresses.
) If blocking, specify the
on which to block:
See Step 3 to customize the action for a specific signature.
See Step 4 to customize the trigger threshold for a
to save the rule and
Customize the action for a specific signature.
to find the signature you want to modify.
To view all the signatures in the brute-force category,
category contains 'brute-force'
To edit a specific signature, click the predefined
default action in the Action column.
Set the action:
. If you select
, complete these additional tasks:
(in seconds) after which to trigger the action.
Specify whether to
the IP address using the
source and destination
For each modified signature, select the check box
the trigger conditions for a parent signature.
A parent signature that can be edited is marked with this
In this example, the
search criteria was brute force category and CVE-2008-1447.
) the time attribute and the
aggregation criteria for the signature.
To modify the trigger threshold, specify the
per number of
Specify whether to aggregate the number of hits (
Attach this new profile to a Security policy rule.