Block an IP through Palo Alto

With a Palo Alto integration configured, admin users can block IP addresses on a firewall to respond to potential compromises or ongoing attacks based on Corelight evidence. The block IP functionality integrates with the Investigator detection workflow.

To block IP addresses with Palo Alto firewalls, Investigator uses an External Dynamic List (EDL) stored in an S3 bucket. Your security policy and firewall configuration determine how to import this EDL and apply the list to your firewall.

To block an IP

1. Click the IP address to block to display the IP hover card.

   IP hover cards are available from IP addresses visible in the table view of Detections, from the Entity section of the Detections details page, and from the Security dashboard.

2. From the Palo Alto pane of the IP hover card, click Block IP.

3. When prompted to confirm the action, click Block IP again.

   Investigator adds the IP address to the EDL to block the address. Firewalls configured to poll this EDL for updates can import this list and update their Access Control List (ACL).

   Within Investigator, the entity status changes to to Block Requested. (Investigator shows Block Requested instead of Blocked because it cannot guarantee that the firewall imports the EDL.)

When blocked, the firewall blocks network activity from the IP address. Also, the Block IP button changes to Unblock IP.

To unblock an IP

1. Click Unblock IP.

2. When prompted to confirm the action, click Unblock IP again.

   Investigator submits the request and the entity status changes to Unblock Requested.

The Entity Status field reflects the current state of network containment for the entity.

Note

Analyst users can see the Block IP and Unblock IP buttons, but cannot perform the related actions.