Firewall Breached? Contain the Threats & Keep Operations Running!

Edge Firewall Compromised? Here’s How to Contain, Monitor, and Mitigate

Zero-day attacks (like CVE-2024-3400) and even known CVEs thrown at you before your team has a chance to patch your gear, can cause devastating impacts to your business, especially when they compromise the integrity and effectiveness of your edge firewall.

This is not a rare occurrence. So, what do you do when it happens to you???

You can’t just shut down the network; business must go on to the full extent possible. At the same time, with your firewall hit, you can’t trust it keep the bad guys out as you could before. How do you contain the breach, monitor malicious activity, and mitigate damage until the breach is addressed, your infected systems are healed, and your firewall can get back to doing its job?

Once an edge firewall compromise has been detected (which can be tricky enough on its own), you must act quickly! Let’s dig into some practical steps that you can take to minimize the threat and keep your network running so that you can continue executing your mission.

1. Contain the Breach Without Downtime

A breached firewall (e.g., Palo Alto PA-Series) risks lateral movement to internal systems, can facilitate additional malicious traffic entering your network, and makes extraction of your data by the enemy much easier than it otherwise would be. Containment is a crucial first step for preventing the disease from spreading further.

• Segment Your Network: Dividing your network into VLANs and/or subnets is a great way to limit a multitude of cybersecurity risks, including limiting attacker mobility within your network once a breach has occurred. Consider locking things down further, temporarily, once a breach is detected to isolate impacted systems from healthy ones.
• Restrict Firewall Rules: Temporarily tighten inbound/outbound rules on the compromised firewall. Block traffic that is not absolutely essential and further restrict access to trusted systems until your incident response (IR) efforts can determine that it’s safe to return to standard operations.
• Automate These Steps for the Future: A SOAR (Security Orchestration, Automation, and Response) system, and other similar systems, can be used to: auto-isolate the firewall and/or other affected systems by applying dynamic rules, block suspicious Ips, and restrict inbound and outbound traffic to essential flows while limiting disruption to core business operations. Make use of systems that have maximum visibility into the data traversing your network to give your SOAR, and your security team, as much valuable information as quickly as possible so that they can act.

2. Monitor Malicious Traffic and Activity

Hackers don’t stop once they’ve hit your firewall…that’s just the beginning. Now they’ll be looking to expand their foothold in your network, find your juicy data, and establish stealthy command & control and data exfiltration paths. Monitoring is critical to track the attacker until your edge defenses are back in solid shape.

• Utilize Deep Packet Inspection (DPI): Use deep packet inspection tools to closely monitor traffic for anomalies (e.g. – malformed HTTP requests). Doing this as close to the infected edge firewall as possible will assist with catching additional moves being made by the attackers. It’s also ideal to watch key network points like segment boundaries and critical system connections.
• Audit Logs Regularly: Review firewall logs and leverage a SIEM (Security Information & Event Management) to detect unauthorized rule changes, strange user activity, or new admin accounts. Verizon’s 2025 Data Breach Investigation Report notes that nearly one third (31%) of breaches involved credential abuse, which are hard to catch without audits.
• Practice Zero-Trust at the Edge: Everything that enters and exits your network, or touches any of your systems, should be scrutinized. Real threats span the protocol stack from layer 1 to layer 7, so don’t take anything for granted.  Bit-error rate spikes at ingress/egress points, unexpected optical signal overhead changes, seemingly innocuous GRE packets leaving your network, and uncorrelated dataflows entering your network, all feed the bigger picture that can help you protect your network and reduce the fallout of an intrusion.

3. Mitigate Nefarious Activity

Mitigation buys precious time, preserving system integrity while awaiting a vendor patch installation and completion of your incident response activities.

• Deploy Vendor Workarounds: Apply vendor-recommended mitigations (e.g., Palo Alto’s Threat Prevention signatures 95187–95191 which helped block CVE-2024-3400). Disable unused features to reduce attack surfaces. Even in the absence of a patch that addresses the root issue, there are almost always other actions that can be taken to protect yourself from becoming a victim.
• Use Threat Intelligence: Subscribe to feeds (e.g., CrowdStrike Falcon) to update Indications of Compromise and block known C2 server Ips as they are uncovered. Plug into threat hunting communities to share additional discoveries and mitigation strategies with other attack victims and experts. We can guarantee that you aren’t the only organization suffering from such a major vulnerability, even after it’s been patched. You don’t need to fight alone!
• Harden Adjacent Systems: Patch internal servers, update admin and user passwords, and implement additional security features on switches and routers that may not currently be in use. This will help to prevent lateral movement via trusted connections and exposed credentials.

Real-World Lesson: Operation MidnightEclipse, Post-CVE-2024-3400 Exploitation Activity (2024)

Volexity’s Operation MidnightEclipse performed an in-depth analysis of the Palo Alto firewall zero-day attacks covered by CVE-2024-3400 in which attackers exploit Palo Alto firewalls, deploying UPSTYLE & cronjob backdoors. Teams worked together and with Palo Alto to contain things by isolating firewalls, closely monitoring internal network activity, and mitigating additional issues with temporary rules—keeping networks online until Palo Alto dropped the needed patch for its firewalls.