Friday, December 6, 2019

Palo Alto Networks Firewall High Risk and Geolocation IP Blocking

To configure the PAN Firewall for Dynamic IP (similar to DBL) from High Risk and Malicious IP addresses from International attackers (Geolocation IP), go to Objects > External Dynamic Lists > Add. Notice the Dynamic IP List or feed created from my previous post.

There are also two Default Dynamic IP Lists: High risk and Known malicious IP addresses.


To apply these Dynamic IP Lists, go to Policies > Security > click Rule #1 (Allow-Any) > Clone (at the bottom).


Leave the Default Name selected > click OK.


Click Allow-Any-1 to edit.


Under General > edit the Name: BLOCK-OUT-HIGH-MALICIOUS-IP. Note a Name can be up to 31 characters in length.


Under Source > Source Zone > Add > select inside.


Under Destination > Destination Zone > Add > select outside.


Under Destination Address > Add > select both Palo Alto Networks - High risk IP addresses and Known malicious IP addresses.


You can also block based on Geolocation source IP address (Geo-IP). Refer to the PAN Knowledge Base (KB) for the Region Code Legend.

For this lab, I've blocked both Outbound and Inbound traffic for North Korea (KP), China (CN) and Russia (RU).
 


Leave the Application and Service/URL Category tabs with the default of Any.



Under Actions tab > Action Setting > Action: Deny > click OK.


Clone Rule #2 (BLOCK-OUT-HIGH-MALICIOUS-IP) > Clone (at the bottom) to configure a Security rule for Inbound traffic.


Leave the default Name selected > click OK.


Click BLOCK-OUT-HIGH-MALICIOUS-IP-1 to edit.


Under General tab > edit Name: BLOCK-IN-HIGH-MALICIOUS-IP.


I just configured a reverse or mirrored rule for Inbound traffic. Under Source > Source Zone > modify to outside.

For Source Address > Add both Palo Alto Networks - High risk IP addresses and Known malicious IP addresses. Also add the Geo-IP addresses for North Korea (KP), China (CN) and Russia (RU).


Under Destination > Destination Zone > modify to inside > click OK.


Move the Security Rules #2 and 3 to positions #1 and #2 respectively. Either you select and drag the Security rule or Ctrl + click (for multiple rule selection on Rules #2 and 3) or click Move (at the bottom) > Move Top.



Before clicking Commit, I tried to ping one of the High Risk IP address (as of this writing): 103.37.60.112 and 103.253.73.168.


To get a list of High Risk IP addresses, you can issue the CLI command request system external-list show type predefined-ip name <panw-highrisk-ip-list or panw-known-ip-list>


To monitor ICMP logs, go to Monitor > Logs > Traffic.

Notice the Application: ping to Destination:103.37.60.112 and 103.253.73.168 had an Action: allow.


Click on magnifying glass icon to get a Detailed Log View.

Notice under Destination > Address (103.37.60.112) > Country > Hong Kong.
 

Notice under Destination > Address (103.253.73.168) > Country > Thailand.


To apply the new Security rules, click Commit.


I was unable to ping to the High Risk IP addresses afterwards.


To monitor ICMP logs, go to Monitor > Logs > Traffic.

Notice Application: ping > Action: deny > Rule: BLOCK-OUT-HGIH-MALICIOUS-IP.
 

Click the magnifying glass icon to get a Detailed Log View.



I tried to visit  popular websites in China and Russia but my access were denied.


Click the magnifying glass icon to get a Detailed Log View.



I also got denied when I visited a North Korean website.



No comments:

Post a Comment