https://live.paloaltonetworks.com/t5/general-topics/how-to-quot-fix-quot-vulnerabilities/m-p/25666#M18718 <HTML><HEAD></HEAD><BODY><P>Hey johnd,</P><P></P><P>We're in the same boat.&nbsp; We get many vulnerability hits internally of the same type as yours.</P><P></P><P>The thing to do seems to be to open a case with PAN support for each vuln.&nbsp; It's best to start with the ones that are blocking traffic rather than just alerting you.&nbsp; Then, IMHO, go for the ones that are most annoying&nbsp; <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> and are most easily reproduced.&nbsp; PAN support will most likely ask you to reproduce the alert with packet capturing on and to add the files or other data to the case that's being transmitted when the vulnerability is identified.</P><P></P><P>The end result may be surprising.&nbsp; We generated a case because traffic between our Microsoft SCCM servers and their clients generated many thousands of 40026:&nbsp; SSL Renegotiation Denial of Service vulnerabilities.&nbsp; We did the packet captures and submitted file samples.&nbsp; PAN support came back and said that, yes indeed, this is vulnerable traffic.&nbsp; There seemed to be no more recourse with PAN support; we could then go to Microsoft to see why they're transmitting vulnerable traffic as part of their protocols.&nbsp; In the end, we decided to keep the Microsoft SCCM servers running as they were and supress the alerts on the Palo Altos.</P></BODY></HTML> Tue, 18 Sep 2012 14:29:04 GMT bstapleton 2012-09-18T14:29:04Z https://live.paloaltonetworks.com/t5/general-topics/how-to-quot-fix-quot-vulnerabilities/m-p/25665#M18717 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I have a lot of vulnerabilities that keeps triggering in my firewall, but I'm not sure whats causing it or how to fix it.&nbsp; </P><P>Most "attacks" are done by servers or clients on my own network...</P><P></P><P>- Microsoft Windows SMB Fragmentation RPC Request Attempt (<STRONG>14K</STRONG>).&nbsp; Any ideas how to fix this.</P><P>- HTTP Forbidden Error (<STRONG>7K</STRONG>).&nbsp; This would make sende if it was 30-40 alerts, but not 7K in the last 30 days.</P><P>- HTTP WWW-Authentication Failed (<STRONG>4K</STRONG>).&nbsp; Could this be caused by the exchange client?</P><P>- DNS Answer Big TXT Record Response Anomaly (<STRONG>1K</STRONG>)</P><P></P><P></P><P>Thank you</P></BODY></HTML> Mon, 17 Sep 2012 08:43:22 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-quot-fix-quot-vulnerabilities/m-p/25665#M18717 johnd 2012-09-17T08:43:22Z https://live.paloaltonetworks.com/t5/general-topics/how-to-quot-fix-quot-vulnerabilities/m-p/25666#M18718 <HTML><HEAD></HEAD><BODY><P>Hey johnd,</P><P></P><P>We're in the same boat.&nbsp; We get many vulnerability hits internally of the same type as yours.</P><P></P><P>The thing to do seems to be to open a case with PAN support for each vuln.&nbsp; It's best to start with the ones that are blocking traffic rather than just alerting you.&nbsp; Then, IMHO, go for the ones that are most annoying&nbsp; <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> and are most easily reproduced.&nbsp; PAN support will most likely ask you to reproduce the alert with packet capturing on and to add the files or other data to the case that's being transmitted when the vulnerability is identified.</P><P></P><P>The end result may be surprising.&nbsp; We generated a case because traffic between our Microsoft SCCM servers and their clients generated many thousands of 40026:&nbsp; SSL Renegotiation Denial of Service vulnerabilities.&nbsp; We did the packet captures and submitted file samples.&nbsp; PAN support came back and said that, yes indeed, this is vulnerable traffic.&nbsp; There seemed to be no more recourse with PAN support; we could then go to Microsoft to see why they're transmitting vulnerable traffic as part of their protocols.&nbsp; In the end, we decided to keep the Microsoft SCCM servers running as they were and supress the alerts on the Palo Altos.</P></BODY></HTML> Tue, 18 Sep 2012 14:29:04 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-quot-fix-quot-vulnerabilities/m-p/25666#M18718 bstapleton 2012-09-18T14:29:04Z https://live.paloaltonetworks.com/t5/general-topics/how-to-quot-fix-quot-vulnerabilities/m-p/25667#M18719 <HTML><HEAD></HEAD><BODY><P><SPAN style="text-decoration: underline;">In most contexts</SPAN>, I would say these 4 alerts should be ignored, so disabled.</P></BODY></HTML> Tue, 18 Sep 2012 14:49:47 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-quot-fix-quot-vulnerabilities/m-p/25667#M18719 essnet 2012-09-18T14:49:47Z