https://live.paloaltonetworks.com/t5/general-topics/pa-bypass-question-mcafee-evader/m-p/69166#M40187 <P>Fast response from PA supprt:</P> <P><EM>On November 30th, a video was posted by the owner of the NetSecVulns YouTube channel titled "666 different ways to bypass palo alto networks in 6 minutes”.</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>In the first video, posted Nov 30th, NetSecVulns sets up a lab with a Windows XP SP2 victim and the Stonesoft Evader tool configured to use the Conficker attack and a Palo Alto Networks Next-Generation Firewall in Layer 3 mode placed in between 2 endpoints. Great pains are made to show that our firewall is configured using our Best Practices configuration document. Once the Evader tool completes its run, the administrator shows that our firewall missed 666 evasion attempts.&nbsp;</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>In reality, NetSecVulns skipped step 4 in our Best Practices document: creation of an unknown application block rule. This can be verified in the video (at 2:20) where we see a single allow rule instead of the expected 2 rules with the first one dropping unknown applications. Later in the video, at 4:31 and 5:49, it shows the "threat logs”, carefully avoiding "traffic logs" where we would have seen unknown-tcp sessions allowed through.</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>After running this test in our own lab on PAN-OS 7.0.3, and correctly following the same Best Practices document, we verified that we block&nbsp;<STRONG><U>100%</U></STRONG>&nbsp;of the 204,090 evasion attempts. Also note that this test is performed by our internal QA team for each PAN-OS major and minor feature release.</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>On Dec 3<SUP>rd</SUP>, NetSecVulns posted a new video, correcting the "step 4" error. However once again they did not follow all steps in the Best Practices document, rendering the test inaccurate and misleading.</EM></P> Tue, 08 Dec 2015 14:21:59 GMT Demast 2015-12-08T14:21:59Z https://live.paloaltonetworks.com/t5/general-topics/pa-bypass-question-mcafee-evader/m-p/69159#M40184 <P>Does anyone have any information on the latest posted PA bypass?&nbsp; The youtube video shows some of the FW features&nbsp; being bypassed using McAfee Evader.&nbsp; It appears to require an IP of the firewall to execute - the example also shows most of the evasions relating to protocols not likely to be exposed over the firewall (NetBIOS, RPC, SMB) so I'm not sure how broadly this applies or how bad it is.&nbsp;</P> <P>&nbsp;</P> <P>666 different ways to bypass palo alto networks in 6 minutes</P> <P>Published on Nov 30, 2015<BR />full log file can be found <A class="js-link post-link" href="http://www.linkedin.com/redir/redirect?url=http%3A%2F%2Fgoo%2Egl%2FWR3VkJ&amp;urlhash=8jhp&amp;_t=tracking_anet" target="_blank">http://goo.gl/WR3VkJ</A><BR />full config file <A class="js-link post-link" href="http://www.linkedin.com/redir/redirect?url=http%3A%2F%2Fpastebin%2Ecom%2FPXARPh2a&amp;urlhash=NPbs&amp;_t=tracking_anet" target="_blank">http://pastebin.com/PXARPh2a</A></P> <P>&nbsp;</P> <P>It seems pretty bad, and the video claims "This cannot be resolved by a patch or a signature as the single-pass architecture is fundamentally flawed."</P> <P>&nbsp;</P> <P>We are opening a ticket on this to find out more.</P> Tue, 08 Dec 2015 14:08:24 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-bypass-question-mcafee-evader/m-p/69159#M40184 Demast 2015-12-08T14:08:24Z https://live.paloaltonetworks.com/t5/general-topics/pa-bypass-question-mcafee-evader/m-p/69166#M40187 <P>Fast response from PA supprt:</P> <P><EM>On November 30th, a video was posted by the owner of the NetSecVulns YouTube channel titled "666 different ways to bypass palo alto networks in 6 minutes”.</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>In the first video, posted Nov 30th, NetSecVulns sets up a lab with a Windows XP SP2 victim and the Stonesoft Evader tool configured to use the Conficker attack and a Palo Alto Networks Next-Generation Firewall in Layer 3 mode placed in between 2 endpoints. Great pains are made to show that our firewall is configured using our Best Practices configuration document. Once the Evader tool completes its run, the administrator shows that our firewall missed 666 evasion attempts.&nbsp;</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>In reality, NetSecVulns skipped step 4 in our Best Practices document: creation of an unknown application block rule. This can be verified in the video (at 2:20) where we see a single allow rule instead of the expected 2 rules with the first one dropping unknown applications. Later in the video, at 4:31 and 5:49, it shows the "threat logs”, carefully avoiding "traffic logs" where we would have seen unknown-tcp sessions allowed through.</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>After running this test in our own lab on PAN-OS 7.0.3, and correctly following the same Best Practices document, we verified that we block&nbsp;<STRONG><U>100%</U></STRONG>&nbsp;of the 204,090 evasion attempts. Also note that this test is performed by our internal QA team for each PAN-OS major and minor feature release.</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>On Dec 3<SUP>rd</SUP>, NetSecVulns posted a new video, correcting the "step 4" error. However once again they did not follow all steps in the Best Practices document, rendering the test inaccurate and misleading.</EM></P> Tue, 08 Dec 2015 14:21:59 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-bypass-question-mcafee-evader/m-p/69166#M40187 Demast 2015-12-08T14:21:59Z