Palo Alto Auto-Tagging to Automate Security Actions
Auto-tagging allows the firewall to tag a policy object when it receives a log that matches specific criteria, creating an IP-to-tag or user-to-tag mapping. For example, when the firewall generates a traffic or threat log, you can configure it to tag the source IP address or User associated with that log using a specific tag name. These tags can then be used to automatically populate policy objects like Dynamic User Groups or Dynamic Address Groups, which in turn can automate security actions within security policies.
For example, let's say I have a policy that denies traffic from the Internet to the firewall's public IP or subnet whenever someone attempts to access random ports. This policy blocks the traffic and generates a traffic log. Now, if someone tries to target our public IP on port 22 (SSH), we might want to add them to a blacklist, which is a Dynamic Address Group. We can then create another policy that references this Dynamic Address Group to block any further traffic from this IP address.
A Realistic Use Case
A realistic use case is when you want to block a source IP after multiple failed authentication attempts to GlobalProtect. Typically, you can use Vulnerability Protection to detect brute force attempts; for example, I usually configure it to block the Source IP if the firewall detects 10 failed attempts within a minute. However, the firewall can only block the IP for a maximum of 60 minutes. By using Dynamic Address Groups, I can add this IP to an address group and create a policy that permanently blocks any further attempts from this IP.
Configuration
First, create a 'Tag' as you normally would. Then, create an Address Group with the type set to 'Dynamic' and add match criteria using the name of the Tag. Next, create a Log Forwarding profile with a log filter, and set the action to 'Add a Tag' to the source or destination IP. This way, when a log is generated, the specified tag will be added to the IP, which will automatically include this IP in the Dynamic Address Group.
As mentioned earlier, for this example, I'll use a simple scenario where if anyone tries to access my public IP on port 22 (SSH), I want to block all traffic from their IP. Let's go through the configuration step-by-step.
Tag and Address Group
Log Forwarding Profile
Navigate to Objects > Log Forwarding Profile and create a new Log Forwarding Macth List inside. Here, I'm creating a new one called ssh_block_list
Here you can choose the 'Log Type' and add a filter. My filter in this example matches any attempt on my 'WAN' zone on port '22'.
Next, add a built-in action that targets the 'Source IP', set the action to 'Add Tag' and choose the Tag we created in the first step.
Here I set the timeout to '4320' minutes which is 3 days. So, the Tag will be removed after 3 days. You can set the timeout to '0' means it's permanent.
The most important part is that the security policy generating the log must have this Log Forwarding profile attached. In my case, I have a policy (catch-all) that blocks all traffic to my public IP except for port 443, which is used for allowing access to the GlobalProtect portal. I'm going to attach this Log Forwarding profile to that policy.
Security Policy
Finally, I'm going to create a security policy that references the Dynamic Address Group as the 'Source'. This policy will deny all traffic originating from any IP in the Dynamic Address Group.
Verification
I can already see a lot of IPs being added to the Dynamic Address Group. By looking at the traffic logs, I can also confirm that subsequent attempts from those IPs are being blocked by the security policy we created. This adds another layer of security for me. If someone attempts to access port 22, they are automatically added to the blocklist, preventing them from trying something else, like port 443, later on.