Advanced Threat Prevention Powered by Precision AI™
Customize the Action and Trigger Conditions for a Brute Force Signature
Table of Contents
Customize the Action and Trigger Conditions for a Brute Force Signature
Where Can I Use This? | What Do I Need? |
---|---|
|
|
The firewall includes two types of predefined
brute force signatures—parent signatures and child signatures. A
child signature is a single occurrence of a traffic pattern that
matches the signature. A parent signature is associated with a child
signature and is triggered when multiple events occur within a specified
time interval and that matches the traffic pattern defined in the
child signature.
Typically, the default action for a child
signature is allow because a single event is not indicative
of an attack. This ensures that legitimate traffic is not blocked
and avoids generating threat logs for non-noteworthy events. Palo
Alto Networks recommends that you do not change the default action
without careful consideration.
In most cases, the brute force
signature is a noteworthy event due to its recurrent pattern. If
needed, you can do one of the following to customize the action
for a brute-force signature:
- Create a rule to modify the default action for all signatures in the brute force category. You can choose to allow, alert, block, reset, or drop the traffic.
- Define an exception for a specific signature. For example, you can search for and define an exception for a CVE.
For
a parent signature, you can modify both the trigger conditions and
the action; for a child signature, you can modify only the action.
To effectively mitigate an attack, specify
the block-ip address action instead of the drop or reset action
for most brute force signatures.
- Create a new Vulnerability Protection profile.
- Select ObjectsSecurity ProfilesVulnerability Protection and Add a profile.Enter a Name for the Vulnerability Protection profile.(Optional) Enter a Description.(Optional) Specify that the profile is Shared with:
- Every virtual system (vsys) on a multi-vsys firewall—If cleared (disabled), the profile is available only to the Virtual System selected in the Objects tab.
- Every device group on Panorama—If cleared (disabled), the profile is available only to the Device Group selected in the Objects tab.
(Optional—Panorama only) Select Disable override to prevent administrators from overriding the settings of this Vulnerability Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.Create a rule that defines the action for all signatures in a category.- On the Rules tab, Add and enter a Rule Name for a new rule.(Optional) Specify a specific threat name (default is any).Set the Action. In this example, it is set to Block IP.If you set a Vulnerability Protection profile to Block IP, the firewall first uses hardware to block IP addresses. If attack traffic exceeds the blocking capacity of the hardware, the firewall then uses software blocking mechanisms to block the remaining IP addresses.Set Category to brute-force.(Optional) If blocking, specify the Host Type on which to block: server or client (default is any).See Step 3 to customize the action for a specific signature.See Step 4 to customize the trigger threshold for a parent signature.Click OK to save the rule and the profile.(Optional) Customize the action for a specific signature.
- On the Exceptions tab, Show all signatures to find the signature you want to modify.To view all the signatures in the brute-force category, search for category contains 'brute-force'.To edit a specific signature, click the predefined default action in the Action column.Set the action: Allow, Alert, Block Ip, or Drop. If you select Block Ip, complete these additional tasks:
- Specify the Time period (in seconds) after which to trigger the action.
- Specify whether to Track By and block the IP address using the IP source or the IP source and destination.
Click OK.For each modified signature, select the check box in the Enable column.Click OK.Customize the trigger conditions for a parent signature.A parent signature that can be edited is marked with this icon:In this example, the search criteria was brute force category and CVE-2008-1447.- Edit (To modify the trigger threshold, specify the Number of Hits per number of seconds.Specify whether to aggregate the number of hits (Aggregation Criteria) by source, destination, or source-and-destination.Click OK.Attach this new profile to a Security policy rule.
- Select PoliciesSecurity and Add or modify a Security policy rule.On the Actions tab, select Profiles as the Profile Type for the Profile Setting.Select your Vulnerability Protection profile.Click OK.Commit your changes.
- Click Commit.