With all the information you have now uncovered, you
can sketch together how the threat impacts your network—the scale
of the attack, the source, the compromised hosts, the risk factor—and
evaluate what changes, if any, to follow through. Here are some
suggestions to consider:
Forestall DDoS attacks by enhancing your DoS Protection
profile to configure random early drop or to drop SYN cookies for
TCP floods. Consider placing limits on ICMP and UDP traffic. Evaluate
the options available to you based on the trends and patterns you
noticed in your logs, and implement the changes using Panorama templates.
a dynamic block list (
Dynamic Block Lists
), to block
specific IP addresses that you have uncovered from several intelligence
sources: analysis of your own threat logs, DDoS attacks from specific
IP addresses, or a third-party IP block list.
The list must
be a text file that is located on a web server. Using device groups
on Panorama, push the object to the managed firewalls so that the
firewalls can access the web server and import the list at a defined
frequency. After creating a dynamic block list object, define a
Security rule that uses the address object in the source and destination
fields to block traffic from or to the IP address, range, or subnet
defined. This approach allows you to block intruders until you resolve
the issue and make larger policy changes to secure your network.
Determine whether to create shared policy rules or device
group rules to block specific applications that caused the infection
(web-browsing, SMTP, FTP), make more stringent URL Filtering rules,
or restrict some applications/actions (for example, file downloads
to specific user groups).
On Panorama, you can also switch to the firewall context
and configure the firewall for Botnet reports that identify potential
botnet-infected hosts on the network.