1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Microsegmentation Administrator's Guide
    5. Secure
    6. Blocking malicious IPs

    Blocking malicious IPs

    About blocking connections with malicious IPs

    We leverage IPsum for this procedure, a threat intelligence feed based on more than 30 publicly available lists of suspicious and/or malicious IP addresses. The list is updated once daily.
    This page guides you through creating:
    • An automation
       that creates and updates an external network with the latest malicious IP addresses from IPsum
    • A network ruleset
       that blocks processing units from initiating or accepting connections with the malicious IP addresses
    Because network rulesets that reject traffic take precedence over those that accept it, the one we create in this procedure won’t conflict with any other network rulesets you may have in place. You can safely propagate it to children namespaces and apply it to all processing units.
    Before you begin, you may wish to review basic network ruleset concepts.

    Prerequisites

    • Authenticated to apoctl with the
      Namespace Administrator
       role in the target namespace

    Creating the automation

    1. Set a MICROSEG_NS environment variable containing the target namespace.
       export MICROSEG_NS=/acme
      We recommend creating the external network and network ruleset at your top-level namespace.
    2. Use the following command to add an automation that creates a new external network called malicious-ips and keeps it synchronized with IPsum.
       cat <<EOF | apoctl api create automation -n $MICROSEG_NS -f -
 name: create-and-update-malicious-ip-list
 trigger: Time
 schedule: "@every 12h"
 immediateExecution: true
 disabled: false

 parameters:
  serviceName: "malicious-ips"

 entitlements:
  externalnetwork:
    - retrieve-many
    - create
    - delete

 condition: |
  function when(api, params) {
    return {continue: true, payload: null};
  }

 actions:
  - |
    function then(api, params, payload) {
      serviceName = params.serviceName
      obj = aporeto.http('GET', 'https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt');

      lines = obj.body.split('\n');

      var maliciousIPs = [];
      for (i=0; i < lines.length; i++) {
        if (lines[i].slice(0,1) != "#")  {
          var parts = lines[i].split(/\s+/);
          if ( parseInt(parts[1]) > 7 ) {
            maliciousIPs.push(parts[0]+"/32")
          } else {
            break;
          }
        }
      }

      if (maliciousIPs.length > 0 ) {
        var definedServices = api.RetrieveMany('externalnetwork', null, 'name == '+serviceName);
        if (definedServices.length > 0) {
          api.Delete('externalnetwork', definedServices[0].ID)
        }
        api.Create('externalnetwork', {
          name: serviceName,
          description: "Automatically updated malicious IP list"
          entries: maliciousIPs,
          propagate: true,
          associatedTags : [
            "externalnetwork:name=malicious-ips",
          ]
        })
      }
    }
 EOF
    3. Copy the alphanumeric string returned by the Microsegmentation Console to your clipboard.
      This is the ID of the automation.
    4. Use the following command to retrieve the automation, replacing <automation-id> with the value you copied in the previous step.
       apoctl api get automations <automation-id> -o yaml -n $MICROSEG_NS
    5. It should return a YAML object representing the automation.
      Check the errors key. It should not contain any value.
    6. In the Microsegmentation Console web interface, expand
      Defend
      , select
      Network
      , then select
      External networks
      .
      You should see an external network named malicious-ips. Expand to review the details. You should see a number of malicious IPs listed.

    Blocking connections with a network ruleset

    1. Set an environment variable named PUSELECTOR containing the tag or tag expression defining the processing units that should be blocked from connecting to the malicious IPs.
      The following example sets the value to $identity=processingunit, which will select all processing units in your current namespace as well as any children. Feel free to modify this value as desired.
       export PUSELECTOR="\$identity=processingunit"
    2. Use the following command to create the network ruleset.
       cat <<EOF | apoctl api create networkrulesetpolicy -n $MICROSEG_NS -f -
 name: block-malicious-ips
 description: Block connections with malicious IPs
 propagate: true
 subject:
 - - \$identity=processingunit
 outgoingRules:
 - action: Reject
   object:
   - - externalnetwork:name=malicious-ips
   protocolPorts:
   - any
 incomingRules:
 - action: Reject
   object:
   - - externalnetwork:name=malicious-ips
   protocolPorts:
   - any
 EOF
    3. Copy the alphanumeric string returned by the Microsegmentation Console to your clipboard.
      This is the ID of the network ruleset.
    4. Use the following command to retrieve the network ruleset, replacing <ruleset-id> with the value you copied in the previous step.
       apoctl api get networkrulesetpolicy <ruleset-id> -o yaml -n $MICROSEG_NS
    5. It should return a YAML object representing the network ruleset.

    Verifying the network ruleset

    The easiest way to verify the network ruleset is from a Linux host. If you’ve created the network ruleset and external network at the top namespace, as we recommended, you can verify it from any Microsegmentation namespace.
    1. Obtain your public IP address, such as by visiting whatsmyip.org in your browser.
    2. In the Microsegmentation Console web interface, expand
      Defend
      , select
      Network
      , then select
      External networks
      .
      Click the
      Edit
       button to open the malicious-ips external network for editing.
      If it is grayed out, navigate higher in the namespace hierarchy, to the namespace it was created in. If you followed our recommendation, you created it in the top-level namespace.
    3. Click
      Next
      .
    4. Paste your public IP address into the
      Networks
       field, click
      Next
      , and then click
      Update
      .
    5. Navigate to the namespace of your enforcer, and select
      Platform
      .
      You should see your host as a processing unit.
    6. From your local host, attempt to gain access to the enforcer host, such as via SSH.
    7. You should see the malicious-ips external network with a red flow to your host.
    8. Click the red flow and select
      Policies
      .
      Your block-malicous-ips ruleset should be listed as having blocked the traffic. Because it is a
      reject
       ruleset, it takes precedence over any
      allow
       policies in place.
    9. Navigate to the namespace of the malicious-ips external network, expand
      Defend
      , select
      Network
      , then select
      External networks
      .
      Click the
      Edit
       button to open the malicious-ips external network for editing.
    10. Click
      Next
      , remove your IP address from the
      Networks
       field, click
      Next
      , then click
      Update
      .
    11. From your local host, confirm that you can once again access the remote host via SSH.
      Congratulations! You have successfully blocked your processing units from communicating with IP addresses known to be malicious or suspicious.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo