Authorized file suddenly blocked as threat

Tylerkearns — Wed, 26 Sep 2018 14:38:19 GMT

We came into the office this morning to receive reports from users that they weren't able to access their core application which runs on apache web server. When they login, the internet explorer URL directs the users to www[whatever-url]com/login.jsp . Our clients download the file login.jsp when they access the login portal for the webpage. The firewall is blocking this file in accordance with signature ID 31313 (Oracle single sign on vulnerability).

This behavior has been true since as long as I can remember, but suddenly our PA-3020 running panOS 7.1.1 decided to block this file as a threat. We were able to quickly resolve this issue with a vulnerability protection exemption to allow this threat signature for a specific ip address.

What I'm now working on is to determine what caused this sudden change in behavior that resulted in the file being blocked. Our firewall did take a app and threats update yesterday around 1:45pm (panupv2-all-contents-8069-5027). However, the vulnerability signature that was being blocked was 31313 which is not mentioned in the latest update release and I know this signature has existed for a long time now.

Has anyone ever seen this sort of sudden change of behavior i nthe past? Or any advice on places to check in the palo alto for more clues on what may have occurred?

Re: Authorized file suddenly blocked as threat

mivaldi — Wed, 03 Oct 2018 22:53:26 GMT

There were changes made to signature 31313 in Content version 8068-5026.

Please work with Support to have this False Positive resolved.

topic Re: Authorized file suddenly blocked as threat in Advanced Threat Prevention Discussions

Authorized file suddenly blocked as threat

Re: Authorized file suddenly blocked as threat