https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48280#M35529 <HTML><HEAD></HEAD><BODY><P>Greetings,</P><P></P><P>Was wondering if any one else has faced this problem.</P><P></P><P>I have Sophos antivirus and when I create a rule with the vulnerability protection set to Strict, it blocks my connection to sophos server for updates.&nbsp; Once I relax the VP rule, it looks fine.&nbsp; Interestingly, I cannot see anything in the traffic/threat logs as well.</P><P></P><P>Has anyone faced such a situation and if yes, how was it managed?</P><P></P><P>Cheers</P><P>Kalyan</P></BODY></HTML> Tue, 07 May 2013 15:44:25 GMT kalyanram.piratla 2013-05-07T15:44:25Z https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48280#M35529 <HTML><HEAD></HEAD><BODY><P>Greetings,</P><P></P><P>Was wondering if any one else has faced this problem.</P><P></P><P>I have Sophos antivirus and when I create a rule with the vulnerability protection set to Strict, it blocks my connection to sophos server for updates.&nbsp; Once I relax the VP rule, it looks fine.&nbsp; Interestingly, I cannot see anything in the traffic/threat logs as well.</P><P></P><P>Has anyone faced such a situation and if yes, how was it managed?</P><P></P><P>Cheers</P><P>Kalyan</P></BODY></HTML> Tue, 07 May 2013 15:44:25 GMT https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48280#M35529 kalyanram.piratla 2013-05-07T15:44:25Z https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48281#M35530 <HTML><HEAD></HEAD><BODY><P>Are you saying you have "log at session end" checked in the actions tab, and you still don't see them show up in the threat log?</P></BODY></HTML> Tue, 07 May 2013 16:07:11 GMT https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48281#M35530 craymond 2013-05-07T16:07:11Z https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48282#M35531 <HTML><HEAD></HEAD><BODY><P>Also, as debugging, create a new profile where you set everything to alert that is:</P><P></P><P>Critical: Alert</P><P>High: Alert</P><P>Medium: Alert</P><P>Low: Alert</P><P>Informational: Alert</P><P></P><P>and then create a new security rule (only for this particular srcip or if its dstip in your case) above the current one. In this new security rule attach the new vuln profile from above.</P><P></P><P>Now you should hopefully see what is being identified for this traffic flow.</P><P></P><P>If you are not comfortable with setting all levels to Alert you can set them to Block (since this is just debug) - blocked traffic should be logged if you have set the "log on session end" (I guess "log on session start" wont pickup any threat).</P><P></P><P>However isnt the Threat log on its own not depending on what the security rule itself is set to? I mean I though the security rule was regarding Traffic logging. If a vuln should log or not is set in the vuln profile itself (such as Alert means log only while Block means block and log, while Allow will not log at all (for this you use Alert instead)).</P></BODY></HTML> Wed, 08 May 2013 04:28:52 GMT https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48282#M35531 mikand 2013-05-08T04:28:52Z https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48283#M35532 <HTML><HEAD></HEAD><BODY><P>Yes, I do have it as Log at session end.</P></BODY></HTML> Wed, 08 May 2013 07:03:53 GMT https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48283#M35532 kalyanram.piratla 2013-05-08T07:03:53Z https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48284#M35533 <HTML><HEAD></HEAD><BODY><P>Mikand - I was under the impression that Vuln profiles with specific actions set does log the events under Threat Monitor.&nbsp; None of the profiles have allow as an action, so I would ideally expect to see everything being logged in.&nbsp; But that is not the case.&nbsp; For some reason I cannot see any traffic or threat logs for Sophos updates.&nbsp; But upon disabling the rule, the updates work but still nothing in the traffic or threat logs <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Cheers</P></BODY></HTML> Wed, 08 May 2013 07:06:58 GMT https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48284#M35533 kalyanram.piratla 2013-05-08T07:06:58Z https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48285#M35534 <HTML><HEAD></HEAD><BODY><P>Did you try the suggestion that Mikand gave to create a new VP profile and set everything to alert? Have you updated the the application and threat signatures to the latest? Each CVE has an associated default action (allow, alert, reset, block). If you don't see anything in the threat log going to the dst address of sophos even after setting everything to alert, then It should not get blocked at any setting. If you do see it after setting everything to alert (like under informational threat) check to see what the CSV is set to as default for that CSV. If you don't see anything, I would open a case with TAC. </P></BODY></HTML> Thu, 09 May 2013 13:03:10 GMT https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48285#M35534 craymond 2013-05-09T13:03:10Z https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48286#M35535 <HTML><HEAD></HEAD><BODY><P>Tried all means possible.&nbsp; I am now raising it with TAC.</P></BODY></HTML> Thu, 09 May 2013 16:50:00 GMT https://live.paloaltonetworks.com/t5/general-topics/sophos-antivirus/m-p/48286#M35535 kalyanram.piratla 2013-05-09T16:50:00Z