https://live.paloaltonetworks.com/t5/next-generation-firewall/20240701-0110-anti-virus-and-threat-detection-within-websocket/m-p/592748#M3468 <P>Hello Romain,</P> <P>&nbsp;</P> <P>thanks for your reply.</P> <P>We did some tests on this and could upload the EICAR test virus, when using a websocket connection. The same file was blocked instantly, when using a standard http session. The same happened when sending crafted links like for log4j.</P> <P>I've already opened a TAC case and we will do an analysis with PA shortly.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Oliver</P> Tue, 23 Jul 2024 09:39:16 GMT TRisec 2024-07-23T09:39:16Z https://live.paloaltonetworks.com/t5/next-generation-firewall/20240701-0110-anti-virus-and-threat-detection-within-websocket/m-p/592419#M3432 <P>Hi,</P> <P>&nbsp;</P> <P>I just came across an interesting question regarding websocket connections running through an NGFW. How does virus inspection and threat detection work here? From what I know websocket connections aren't compatible with normal HTTP connections (ignoring wss for the moment which might be a different problem). So is an NGFW still able to scan those connections? I haven't found any documentation on this explaining the matter.</P> <P>&nbsp;</P> <P>Best regards</P> <P>&nbsp;</P> <P>Oliver</P> Thu, 18 Jul 2024 09:10:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/20240701-0110-anti-virus-and-threat-detection-within-websocket/m-p/592419#M3432 TRisec 2024-07-18T09:10:46Z https://live.paloaltonetworks.com/t5/next-generation-firewall/20240701-0110-anti-virus-and-threat-detection-within-websocket/m-p/592743#M3467 <P>Hello,</P> <P>This is a good question. I have decrypted websocket trafic on the firewall and the vulnerability protection profile have matched some signatures for this flow. I can't tell you more about this so you may open a tac in order to get this information.</P> <P>Have a good day</P> Tue, 23 Jul 2024 09:23:20 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/20240701-0110-anti-virus-and-threat-detection-within-websocket/m-p/592743#M3467 RomainSalmon 2024-07-23T09:23:20Z https://live.paloaltonetworks.com/t5/next-generation-firewall/20240701-0110-anti-virus-and-threat-detection-within-websocket/m-p/592748#M3468 <P>Hello Romain,</P> <P>&nbsp;</P> <P>thanks for your reply.</P> <P>We did some tests on this and could upload the EICAR test virus, when using a websocket connection. The same file was blocked instantly, when using a standard http session. The same happened when sending crafted links like for log4j.</P> <P>I've already opened a TAC case and we will do an analysis with PA shortly.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Oliver</P> Tue, 23 Jul 2024 09:39:16 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/20240701-0110-anti-virus-and-threat-detection-within-websocket/m-p/592748#M3468 TRisec 2024-07-23T09:39:16Z