We’ll be using Palo Alto Networks log forwarding for threat tagging in combination with dynamic groups to help block IP’s acting shady. As long as you know what kind of traffic you think should warrant a quarantine, you should have no problem dropping it as soon as it occurs.

  1. Open Object -> Log Forwarding
  2. Add or modify an existing log forwarding rule
    You can use a single log forwarding for all your tagging rules, as well as syslog forwarding if you’d like to.
  3. Press «Add» to add a new Match List.
  4. Select your log type, and a filter.
    For the first example we’ll be using the URL filter log, and using a query that will tag anyone outside of Norway attempting to access the /wp-admin or /xmlrpc.php files.

    As long as the filter is giving you the correct result when viewed in the URL filter log, you’ll be good.

    If you press in the downward arrow on the right side of the Filter box, you can also use the Filter Builder to show you available fields as well as validating the output of your filter.

  5. Under Built-in actions, select tagging.
    We’d like to set the source address as the target, this being the IP that will be given a tag. In my home lab I’ve got a single tag, but at work we’re using seperate tags for internal and external threats.
  6. With that done, head off to Objects – Address Group.
  7. Press Add to create a new dynamic group, set the match to ‘Tagname’.
  8. Go to Policies, add the newly created dynamic group to an inbound drop rule
    Use different policies for different kinds of traffic, of course, but as the one we’ve just created is for Internet traffic, add it accordingly.

    You might want to start with step 9, so you can see what populates first, and see if anything is tagged erroneously.

  9. Add the log forwarding rule to any applicable rule you have.

A couple of usefull log filters
Blacklist traffic going to high value targets if not coming from a trusted network:
(( zone.dst eq Backup ) or ( zone.dst eq Management)) and ( zone.src neq Privileged )

Blacklist anyone triggering a medium or higher severity threat:
( severity geq 'medium' ) and ( zone.src eq 'Internet' )

Adjust this to fit your network, of course.

Oh no, I blacklisted legit traffic and now people are yelling at me!
How do I fix this?

  1. Go to Objects -> Address Groups
  2. Find the dynamic group, and under «Addresses», click «More».
  3. Find the IP in question
  4. Press Unregister tags.
  5. Press Add, add the tag you’d like to remove (such as ‘Threat’) and press OK twice.
  6. Done, no need for a commit.

Further reading:

The following two tabs change content below.