https://live.paloaltonetworks.com/t5/general-topics/tracking-an-infected-computer/m-p/46986#M34534 <HTML><HEAD></HEAD><BODY><P>Hello Todd,</P><P></P><P>Is there any related information pops up under Monitor &gt; Threat logs...?</P><P></P><P>Also please apply below mentioned command to stop suppressing repetitive logs on PAN FW.</P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"># set </SPAN><SPAN class="GINGER_SOFATWARE_spelling" style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN class="GINGER_SOFTWARE_mark">deviceconfig</SPAN></SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"> setting logging log-suppression no</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Thanks<BR /></SPAN></P></BODY></HTML> Fri, 03 Jan 2014 21:28:36 GMT HULK 2014-01-03T21:28:36Z https://live.paloaltonetworks.com/t5/general-topics/tracking-an-infected-computer/m-p/46985#M34533 <HTML><HEAD></HEAD><BODY><P>I got a notice from my ISP that we have a Conficker infected system (<SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';">downadup</SPAN>) but I am coming up with nothing when I try to find it.&nbsp; The less than helpful info I recieve is the first octet of the target IP (38) and source port <SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';">61494</SPAN>, which map to hundreds of system.&nbsp; I also have a destination port of 80, again very helpful.&nbsp; The firewall is NATing for about 2000 systems.&nbsp; Has anyone used their panos box to track a system before and if so what did you do?&nbsp; We have ESET deployed for anti-virus and it is not showing anything right now.&nbsp; We could be missing a system though.&nbsp; I am still fairly new to my PA-3020 box so use small words please.</P><P></P><P>I have been using the threat log and tried the pre-built reports.&nbsp; The Monitor Logs are amazing but I can't seem to narrow the search enough to find the problem.&nbsp; I only have the URL filter and threat prevention license on 5.0.9</P><P></P><P>Thanks,</P><P>Todd</P></BODY></HTML> Fri, 03 Jan 2014 20:18:22 GMT https://live.paloaltonetworks.com/t5/general-topics/tracking-an-infected-computer/m-p/46985#M34533 ToddJohnsen 2014-01-03T20:18:22Z https://live.paloaltonetworks.com/t5/general-topics/tracking-an-infected-computer/m-p/46986#M34534 <HTML><HEAD></HEAD><BODY><P>Hello Todd,</P><P></P><P>Is there any related information pops up under Monitor &gt; Threat logs...?</P><P></P><P>Also please apply below mentioned command to stop suppressing repetitive logs on PAN FW.</P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"># set </SPAN><SPAN class="GINGER_SOFATWARE_spelling" style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN class="GINGER_SOFTWARE_mark">deviceconfig</SPAN></SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"> setting logging log-suppression no</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Thanks<BR /></SPAN></P></BODY></HTML> Fri, 03 Jan 2014 21:28:36 GMT https://live.paloaltonetworks.com/t5/general-topics/tracking-an-infected-computer/m-p/46986#M34534 HULK 2014-01-03T21:28:36Z https://live.paloaltonetworks.com/t5/general-topics/tracking-an-infected-computer/m-p/46987#M34535 <HTML><HEAD></HEAD><BODY><P>Hello Todd</P><P>The simplest way is to make a filter in Thread log</P><P><IMG alt="2014-01-04_182054.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10600_2014-01-04_182054.png" style="width: 620px; height: 105px;" /></P><P>I'm not sure that every variant of Conficker has 12544 id, so You can remove "and ( threatid eq 12544 )"</P><P>Of course You mast have Thret prevention profile added to security rule that is allowing traffic from You networks to Internet.</P><P></P><P>Regards</P><P>SLawek</P></BODY></HTML> Sat, 04 Jan 2014 17:23:56 GMT https://live.paloaltonetworks.com/t5/general-topics/tracking-an-infected-computer/m-p/46987#M34535 _slv_ 2014-01-04T17:23:56Z https://live.paloaltonetworks.com/t5/general-topics/tracking-an-infected-computer/m-p/46988#M34536 <HTML><HEAD></HEAD><BODY><P>Thanks SLawek,</P><P>I finally figured it out with your help.&nbsp; I ran the Threats report and found all the Suspicious DNS Query results I had been unable to find before.&nbsp; Each one has a different ID code that I was able to search for in the Threat log as you describe with great success.&nbsp; Looks like I should be able to trace this after all.</P><P></P><P><IMG alt="ThreatIDs.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10668_ThreatIDs.PNG.png" style="width: 620px; height: 199px;" /></P><P></P><P>-Todd</P></BODY></HTML> Tue, 07 Jan 2014 19:55:59 GMT https://live.paloaltonetworks.com/t5/general-topics/tracking-an-infected-computer/m-p/46988#M34536 ToddJohnsen 2014-01-07T19:55:59Z