https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7028#M5188 <HTML><HEAD></HEAD><BODY><P>You can always get a packet capture of the specific traffic you want and replay it through a device with TCPreplay or Scapy.</P></BODY></HTML> Mon, 11 Apr 2011 19:02:47 GMT migration 2011-04-11T19:02:47Z https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7022#M5182 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Has anyone ever tried to clone malicious traffic sent through the palo-alto firewall to try to re-simulate attacks or exploit vulnerabilities?</P><P></P><P>If you have, can you share your experience in how you did it?</P><P></P><P>Just trying to research on some ideas of how to seek exploit possibile vulnerabilities based on traffic that I might think is malicious.</P><P></P><P>If you need some more info, let me know. </P><P></P><P>Thanks.</P><P></P><P>BA</P></BODY></HTML> Tue, 05 Apr 2011 21:40:14 GMT https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7022#M5182 ikinnexi 2011-04-05T21:40:14Z https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7023#M5183 <HTML><HEAD></HEAD><BODY><P>This is something to look at.</P><P></P><P><A class="jive-link-external-small" href="http://tomahawk.sourceforge.net/">http://tomahawk.sourceforge.net/</A></P><P></P><P>Keith</P></BODY></HTML> Tue, 05 Apr 2011 21:44:58 GMT https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7023#M5183 cl.tech 2011-04-05T21:44:58Z https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7024#M5184 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: Arial; color: #000000; font-size: 10pt;">Is it possible to use the PA-2xxx series to span/mirror traffic from one port to another?&nbsp; </SPAN></P><P></P><P><SPAN style="font-family: Arial; color: #000000; font-size: 10pt;">Either in PanOS 3.1 or 4.0?<BR />&nbsp;&nbsp;&nbsp; <BR />It would be very handy since we have so many unused ports on the device, and don't have any taps lying around.</SPAN></P><P></P><P><SPAN style="font-family: Arial; color: #000000; font-size: 10pt;">Any info you can provide on this would be great. </SPAN></P><P></P><P><SPAN style="font-family: Arial; color: #000000; font-size: 10pt;">Thank You. </SPAN></P><P></P><P><SPAN style="font-family: Arial; color: #000000; font-size: 10pt;">BA&nbsp; <BR />&nbsp;&nbsp;&nbsp; <BR /></SPAN></P></BODY></HTML> Tue, 05 Apr 2011 22:12:57 GMT https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7024#M5184 ikinnexi 2011-04-05T22:12:57Z https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7025#M5185 <HTML><HEAD></HEAD><BODY><P>We currently do not support spanning/mirroring traffic from the PAN device today.&nbsp; Please contact your local Palo Alto SE to submit this feature as a feature request.&nbsp; In the meantime, you can use our packet capture feature to help during troubleshooting.</P><P></P><P>Thank you very much for your spanning suggestion!!</P></BODY></HTML> Wed, 06 Apr 2011 00:49:01 GMT https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7025#M5185 rmonvon 2011-04-06T00:49:01Z https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7026#M5186 <HTML><HEAD></HEAD><BODY><P>Actually, Virtual Wire acts a bit like an inline tap.&nbsp; Any packets that are seen on the interface are forwarded out the second interface in the Virtual Wire.&nbsp; If you are out of SPAN ports you can put the PAN device in between an existing SPAN port and another device using the SPAN with a couple interfaces in Virtual Wire mode and allowing all traffic to pass via open security policy.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Wed, 06 Apr 2011 01:21:32 GMT https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7026#M5186 kbrazil 2011-04-06T01:21:32Z https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7027#M5187 <HTML><HEAD></HEAD><BODY><P>I usually use "Colasoft Packet Player".</P><P>if you have exploit packet capture like exploit.pcap, then , use that tool. you can 'replay' that packet capture by sending it to the PA in TAP mode interface.</P><P>then PA will detect the attack.</P><P>thank you</P><P>BH Lee</P></BODY></HTML> Wed, 06 Apr 2011 03:09:27 GMT https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7027#M5187 bhlee 2011-04-06T03:09:27Z https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7028#M5188 <HTML><HEAD></HEAD><BODY><P>You can always get a packet capture of the specific traffic you want and replay it through a device with TCPreplay or Scapy.</P></BODY></HTML> Mon, 11 Apr 2011 19:02:47 GMT https://live.paloaltonetworks.com/t5/general-topics/cloning-traffic-to-simulate-attacks-vulnerabilities/m-p/7028#M5188 migration 2011-04-11T19:02:47Z