To
configure the PAN Firewall for Dynamic IP (similar to DBL) from High Risk and Malicious IP addresses from International attackers (Geolocation IP), go to Objects >
External Dynamic Lists > Add. Notice
the Dynamic IP List or feed created from my previous post.
To apply these Dynamic IP Lists, go to Policies > Security > click Rule #1 (Allow-Any) > Clone (at the bottom).
Leave the Default Name selected > click OK.
Click Allow-Any-1 to edit.
Under General > edit the Name: BLOCK-OUT-HIGH-MALICIOUS-IP. Note a Name can be up to 31 characters in length.
Under Source > Source Zone > Add > select inside.
Under Destination > Destination Zone > Add > select outside.
Under Destination Address > Add > select both Palo Alto Networks - High risk IP addresses and Known malicious IP addresses.
Leave the Application and Service/URL Category tabs with the default of Any.
Under Actions tab > Action Setting > Action: Deny > click OK.
Clone Rule #2 (BLOCK-OUT-HIGH-MALICIOUS-IP) > Clone (at the bottom) to configure a Security rule for Inbound traffic.
Leave the default Name selected > click OK.
Click BLOCK-OUT-HIGH-MALICIOUS-IP-1 to edit.
Under General tab > edit Name: BLOCK-IN-HIGH-MALICIOUS-IP.
Under Destination > Destination Zone > modify to inside > click OK.
Move the Security Rules #2 and 3 to positions #1 and #2 respectively. Either you select and drag the Security rule or Ctrl + click (for multiple rule selection on Rules #2 and 3) or click Move (at the bottom) > Move Top.
Before clicking Commit, I tried to ping one of the High Risk IP address (as of this writing): 103.37.60.112 and 103.253.73.168.
To get a list of High Risk IP addresses, you can issue the CLI command request system external-list show type predefined-ip name <panw-highrisk-ip-list or panw-known-ip-list>
To monitor ICMP logs, go to Monitor > Logs > Traffic.
Notice the Application: ping to Destination:103.37.60.112 and 103.253.73.168 had an Action: allow.
Notice under Destination > Address (103.253.73.168) > Country > Thailand.
To apply the new Security rules, click Commit.
I was unable to ping to the High Risk IP addresses afterwards.
Click the magnifying glass icon to get a Detailed Log View.
I tried to visit popular websites in China and Russia but my access were denied.
Click the magnifying glass icon to get a Detailed Log View.
I also got denied when I visited a North Korean website.
There are
also two Default Dynamic IP Lists: High risk and Known malicious
IP addresses.
To apply these Dynamic IP Lists, go to Policies > Security > click Rule #1 (Allow-Any) > Clone (at the bottom).
Leave the Default Name selected > click OK.
Click Allow-Any-1 to edit.
Under General > edit the Name: BLOCK-OUT-HIGH-MALICIOUS-IP. Note a Name can be up to 31 characters in length.
Under Source > Source Zone > Add > select inside.
Under Destination > Destination Zone > Add > select outside.
Under Destination Address > Add > select both Palo Alto Networks - High risk IP addresses and Known malicious IP addresses.
You can
also block based on Geolocation source IP address (Geo-IP). Refer
to the PAN Knowledge Base (KB) for the Region Code Legend.
For this
lab, I've blocked both Outbound and Inbound traffic for North Korea (KP), China
(CN) and Russia (RU).
Leave the Application and Service/URL Category tabs with the default of Any.
Under Actions tab > Action Setting > Action: Deny > click OK.
Clone Rule #2 (BLOCK-OUT-HIGH-MALICIOUS-IP) > Clone (at the bottom) to configure a Security rule for Inbound traffic.
Leave the default Name selected > click OK.
Click BLOCK-OUT-HIGH-MALICIOUS-IP-1 to edit.
Under General tab > edit Name: BLOCK-IN-HIGH-MALICIOUS-IP.
I just
configured a reverse or mirrored rule for Inbound traffic. Under Source > Source Zone >
modify to outside.
For
Source Address > Add both Palo Alto Networks - High risk IP addresses and
Known malicious IP addresses. Also add the Geo-IP addresses for North Korea
(KP), China (CN) and Russia (RU).
Under Destination > Destination Zone > modify to inside > click OK.
Move the Security Rules #2 and 3 to positions #1 and #2 respectively. Either you select and drag the Security rule or Ctrl + click (for multiple rule selection on Rules #2 and 3) or click Move (at the bottom) > Move Top.
Before clicking Commit, I tried to ping one of the High Risk IP address (as of this writing): 103.37.60.112 and 103.253.73.168.
To get a list of High Risk IP addresses, you can issue the CLI command request system external-list show type predefined-ip name <panw-highrisk-ip-list or panw-known-ip-list>
To monitor ICMP logs, go to Monitor > Logs > Traffic.
Notice the Application: ping to Destination:103.37.60.112 and 103.253.73.168 had an Action: allow.
Click on
magnifying glass icon to get a Detailed Log View.
Notice
under Destination > Address (103.37.60.112) > Country > Hong Kong.
Notice under Destination > Address (103.253.73.168) > Country > Thailand.
To apply the new Security rules, click Commit.
I was unable to ping to the High Risk IP addresses afterwards.
To
monitor ICMP logs, go to Monitor > Logs > Traffic.
Notice
Application: ping > Action: deny > Rule: BLOCK-OUT-HGIH-MALICIOUS-IP.
Click the magnifying glass icon to get a Detailed Log View.
I tried to visit popular websites in China and Russia but my access were denied.
Click the magnifying glass icon to get a Detailed Log View.
I also got denied when I visited a North Korean website.