With the release of PanOS 8.0, a cool feature called Built-in actions was introduced.
It’s a feature that can automate certain processes in PanOS, and I will in this post showcase one of the uses.
I am hosting this blog on my personal server behind a PA-220.
And as you can see, the PA-220 is kept busy with intercepting and reset connections that trying to exploit my WordPress installation. (China number ONE when it comes to the sources..)
But why let the same IP’s try over and over again with different attacks? Why risk that one of them slips through and actually can do damage?
This is where Built-in actions come to the rescue!
First, we need to go to Objects -> Log Forwarding.
Create a new Log forwarding profile, or use an existing.
Create a suitable name and description, then push “Add” to add a new rule/match for the profile.
We are now able to create a match for the data we want to look at.
If you push the little arrow to the right of the “Filter” box, you can start a filter builder to create a granular filter you want:
But my setup is rather simple, I am just interested in all events with the severity “critical” in the threat log.
So I can get away with (severity eq critical) as a filter.
You then need to add a new Built-in action for this match, so push the “Add” button as marked.
We then open this window, where you can decide what should happen with the log events we find with the filter match.
I am interested in the Source Address of the log entry, as that is the attacker trying to exploit me.
If we then add a Local User-ID tag on that Source address, I will be able to further use it as a match criterion.
I went for the original tag of “IP-Attackers” … 😀
Now we need to use the tag for something useful, and for that, we need to go to Objects -> Address Groups.
Create a new group with the “add” button.
Give it a name and description, and set it to “Dynamic” as type, and set the match to the tag you created in the Built-in action setup. You can also browse after it with the “Add Match Criteria” button.
This configuration will ensure that every source IP address that is matched with the Log forwarding filter will be available in this address group we created.
But first, we need to add the Log forwarding profile to a security rule so we will get any matches.
This is my security policy that is enabling access to this blog, and as you can see I have added the Log forwarding profile we created earlier. This gives the profile access to all log events that are created by this security policy. (Hint: If you name the Log forwarding profile for “default” it will be auto-populated here on every rule)
We can then use this group in a security rule as a match criterion with action set to Deny and effectively shut down all attackers from further attempts to bypass the IPS.
No hits yet.. will update as soon as we get one!
After a couple of days we have this list of attackers that have been blocked by the IPS, and are now blocked by the “Block IP Attackers” rule:
Hit 777 times.. the number of God! 😀
Note: To remove an IP from the list, you just use the “Unregister Tags” in the Dynamic Address Group!