The firewall includes two types of predefined
brute force signatures—parent signatures and child signatures. A
child signature is a single occurrence of a traffic pattern that
matches the signature. A parent signature is associated with a child
signature and is triggered when multiple events occur within a specified
time interval and that matches the traffic pattern defined in the
child signature.
Typically, the default action for a child
signature is
allow because a single event is not indicative
of an attack. This ensures that legitimate traffic is not blocked
and avoids generating threat logs for non-noteworthy events. Palo
Alto Networks recommends that you do not change the default action
without careful consideration.
In most cases, the brute force
signature is a noteworthy event due to its recurrent pattern. If
needed, you can do one of the following to customize the action
for a brute-force signature:
Create a rule to modify
the default action for all signatures in the brute force category.
You can choose to allow, alert, block, reset, or drop the traffic.
Define an exception for a specific signature. For example,
you can search for and define an exception for a CVE.
For
a parent signature, you can modify both the trigger conditions and
the action; for a child signature, you can modify only the action.
To effectively mitigate an attack, specify
the block-ip address action instead of the drop or reset action
for most brute force signatures.