PaloAuthShield

PaloAuthShield is a cybersecurity solution designed to enhance network defenses by dynamically identifying and blocking malicious IP addresses from failed authentication logs generated by Palo Alto firewalls. To achieve this, I developed an API using PHP, which processes incoming logs, extracts relevant data, and updates an External Dynamic List (EDL) in real-time. This approach ensures automated mitigation of authentication-based threats, such as brute force attacks.

Workflow:

• Palo Alto forwards logs to a custom created API server.
• The API parses logs for authentication failures, extracts source IPs, and identifies malicious attempts.
• The API updates an external text file hosted on the server with the list of blocked IPs.
• The Palo Alto firewall retrieves the EDL and enforces security policies to block malicious IPs.

Benefits:

• Improved Security: Automatically blocks suspicious IPs, reducing exposure to brute force attacks.
• Real-Time Response: Reacts dynamically to emerging threats.
• Automation Efficiency: Reduces manual intervention in monitoring and updating blocklists.

Key Features::

• Parses incoming logs in real-time to identify failed login attempts and extract associated IP addresses.
• Automates the process of extracting malicious IPs and updating the EDL file.
• Creates a dynamic blocklist of IPs based on repeated authentication failures.
• Supports deployment across multiple firewalls and log sources for centralized management.