Kategori: Uncategorized

Palo Alto Networks log forwarding for threat tagging

We’ll be using Palo Alto Networks log forwarding for threat tagging in combination with dynamic groups to help block IP’s acting shady. As long as you know what kind of traffic you think should warrant a quarantine, you should have no problem dropping it as soon as it occurs.

  1. Open Object -> Log Forwarding
  2. Add or modify an existing log forwarding rule
    You can use a single log forwarding for all your tagging rules, as well as syslog forwarding if you’d like to.
  3. Press «Add» to add a new Match List.
  4. Select your log type, and a filter.
    For the first example we’ll be using the URL filter log, and using a query that will tag anyone outside of Norway attempting to access the /wp-admin or /xmlrpc.php files.

    As long as the filter is giving you the correct result when viewed in the URL filter log, you’ll be good.

    If you press in the downward arrow on the right side of the Filter box, you can also use the Filter Builder to show you available fields as well as validating the output of your filter.

  5. Under Built-in actions, select tagging.
    We’d like to set the source address as the target, this being the IP that will be given a tag. In my home lab I’ve got a single tag, but at work we’re using seperate tags for internal and external threats.
  6. With that done, head off to Objects – Address Group.
  7. Press Add to create a new dynamic group, set the match to ‘Tagname’.
  8. Go to Policies, add the newly created dynamic group to an inbound drop rule
    Use different policies for different kinds of traffic, of course, but as the one we’ve just created is for Internet traffic, add it accordingly.

    You might want to start with step 9, so you can see what populates first, and see if anything is tagged erroneously.


  9. Add the log forwarding rule to any applicable rule you have.

A couple of usefull log filters
Blacklist traffic going to high value targets if not coming from a trusted network:
(( zone.dst eq Backup ) or ( zone.dst eq Management)) and ( zone.src neq Privileged )

Blacklist anyone triggering a medium or higher severity threat:
( severity geq 'medium' ) and ( zone.src eq 'Internet' )

Adjust this to fit your network, of course.

Oh no, I blacklisted legit traffic and now people are yelling at me!
How do I fix this?

  1. Go to Objects -> Address Groups
  2. Find the dynamic group, and under «Addresses», click «More».
  3. Find the IP in question
  4. Press Unregister tags.
  5. Press Add, add the tag you’d like to remove (such as ‘Threat’) and press OK twice.
  6. Done, no need for a commit.

Further reading:

Why I don’t trust PowerDMARC – and why you shouldn’t either.

We were in the process of finally getting DMARC fixed for all of our domains, and we had a supplier come and pitch PowerDMARC to us.

PowerDMARC, they told us, was the leading DMARC service in Norway, and was an ISO27001 certified provider headquartered in the United States.

After doing a quick trial with PowerDMARC we started with due dilligence, and the first red flags started to appear when trying to find company information.
Their site mentions a head office address in Delaware, but the actual name of the company was only to be found in their Data Processing Agreement.

This led us to MENAINFOSEC, Inc., still listing it’s principal place of business to be Delaware in the United States.

It turns out that 651 N Broad St in Middledown, Delaware is an anonymous office building, without any corporate logos. A few searches later makes it clear that this office building serves as a virtual office for several dozen other companies, and even several sharing Suite 206. Must be a crowded place.

Their LinkedIn profile doesn’t to much to help improve on the already shady first impressions, with only a single employee out of eighteen reporting to be based in Middletown.

So the company is not based in the US, and this throws their entire data processing agreement into jeopardy. But at least they’re ISO27001 certified, right?

Well, it turns out that their certification body, BQSR Quality Assurance Pvt. Ltd., at least had their customer account with IAS (International Accreditation Service) canceled in july.

So it could be that PowerDMARC is a completely legit company, but there sure is a whole lot of smoke here.

Possible alternatives to PowerDMARC could be either dmarcian or uriports, but you should always vet your SaaS providers yourself.