Brute force signatures and how to tune them
14799
Created On 07/29/20 18:32 PM - Last Modified 02/05/25 21:19 PM
Objective
Brute force signatures can be found in the range 40XXX of the UTID, within the Vulnerability protection profiles.
Each exists within a parent/child relationship, wherein the child signature must be seen X times in Y seconds in order to trigger the parent signature. Generally speaking, the default actions for child signatures are "allow" meaning that unless expressly configured to do so will not generate a log.
Each parent signature can have its X and Y values tuned in order to account for a particular environment or application needs.
Environment
All Pan OS Firewalls
Procedure
1. Determine which security policy you're traffic is hitting from the threat logs (Rule) as well as vulnerability protection profile is assigned to the policy (or which profile group is assigned and which vulnerability protection profile is in that group)
2. Search for the UTID of the signature in question in the "Exceptions" tab of the vulnerability protection profile. It is usually better to search for the ID as many names are identical and can be confused.
3. Select the pencil next to the threat name to edit the values.
4. Decrease the X value, or increase the Y value. This will be largely dependent on the environment, but smaller increases (no more than 25% at a time) can help to ascertain what a more correct threshold should be for the environment.