How to Automatically Blocklist and Attacker's IP address using Palo Alto Networks Firewalls
Network Security engineers rely and trust the blacklist feeds, whether they get that from minemeld or from mxtoolbox, spanhaus, ipinfo and others. For the most part these are quite accurate, however, hackers are crafty and switch public IP addresses frequently. To keep the databases up to date in real time is extremely challenging, to say the least. So, what can you do to keep up with the ever changing harmful IP addresses?
You need to inspect traffic for threats and vulnerabilities on a Palo Alto Networks Firewall. Once the firewall detects the threat and the attacker’s public IP address, the firewall will then automatically add the attacker’s IP address in a Deny firewall rule.
Important: You must make sure you are blocking critical, high and medium risk threat at bare minimum.
Why do I need to blacklist the attacker’s IP address if my firewall is already blocking threats? The answer is simple, you don’t know what other vulnerabilities the attackers are trying to exploit. The firewall may or may not detect all the threats. To reduce your attack surface even more, you need to automatically blacklist the IP address from trying to scan your network all together on any port and any application.
Disclaimer: The information posted here is informational only. Ricardo Gutierrez won’t be held liable for any mishaps, failures or any other negative outcome. It is the reader’s responsibility to make their own decisions and act on them.
Access to the Video Tutorial showing the steps to set this up in panorama