This project leverages the list of IP addresses detected as malicious by Criminal IP to generate and manage blocking rules on Palo Alto firewalls automatically. With this system, security threats can be quickly addressed, and network security can be enhanced by blocking malicious IP addresses.
-
Retrieve Malicious IP List: Fetch the latest list of IP addresses classified as malicious from Criminal IP.
-
Generate Block Rules: Automatically create block rules on Palo Alto firewalls based on the malicious IP list retrieved from Criminal IP.
-
Manage Block Rules: Periodically review, update, or remove the created block rules.
- Copy the API key after logging in at: https://www.criminalip.io/mypage/information
- Use the API Key provided when creating an account for the Palo Alto REST API Administrator.
- For more details, refer to the "API key verification method" section under "Usage".
- The name of the policy that enforces automatic blocking rules.
- This value can be found in the firewall's Policy section.
- Clone the repository:
git clone https://github.com/criminalip/PaloAlto-Maliciousip-AutoBlock.git
- fire_config.py settings:
| Setting | Description |
|---|---|
| CRIMINALIP_API_KEY | Insert your Criminal IP API KEY here. |
| TARGET | Insert the firewall address here. |
| TOKEN | Insert the Palo Alto API Key here. |
| POLICYID | Put the Palo Alto Policy Name here. |
📦Paloalto_Auto_Block
┣ 📂core
┃ ┣ 📂cip_api
┃ ┃ ┣ 📂input
┃ ┃ ┣ 📂output
┃ ┃ ┣ 📜cip_request_get_ip.py
┃ ┃ ┗ 📜managefiles.py
┃ ┗ 📂paloalto_manage
┃ ┃ ┗ 📜_paloalto_request_parm.py
┣ 📂log
┣ 📜cip_c2_detect_query.json
┣ 📜fire_config.py
┣ 📜main.py
┗ 📜README.mdpython main.py --get-api-key --username <your_username> --password <your_password>python main.py --run-main The images below show how the uploaded IP addresses are grouped by date for management and applied automatically based on the defined policy.
