topic Re: Adding ?v=panosurl to MineMeld EDL brought down our entire network in General Topics

Adding ?v=panosurl to MineMeld EDL brought down our entire network

Mike.ship — Tue, 03 Jul 2018 13:44:37 GMT

Just wanted to share this with the community in hopes that it may prevent one from experiencing the hardship that we did. We use MineMeld with our URL filtering rules. We appended "?v=panosurl" to the end of the end of the URL for our General_Block_List with the assumption that it would just reformat the output essentially removing the "http://" from the URLs in the list. Unfortunately adding ?v=panosurl to the end of the URL caused the list to add three entries for *.com and one for *.it.

Since this EDL was a block list it essentially began blocking everything to those TLDs. This brought the entire network to it's knees and we couldn't get into our Panorama server to revert the change. We were eventually able to access the Panorama server via the CLI and revert the changes.

Just beware and do your due diligence when implementing this on your EDLs.

Cheers!

Re: Adding ?v=panosurl to MineMeld EDL brought down our entire network

dannadurai — Fri, 28 Dec 2018 23:14:06 GMT

One of customer seemed having same issue. what is the solution for this ? PAN-OS in 8.1.4 release.

Re: Adding ?v=panosurl to MineMeld EDL brought down our entire network

craigomatic — Wed, 02 Jan 2019 22:43:42 GMT

Thanks for the post; although I found it after I had experienced the same thing; however, my list did not include a *.com or *.it.

name@fw(active)> request system external-list show type ip name edl-phishing-sites
vsys1/edl-phishing-sites:
Next update at : Thu Dec 27 16:00:02 2018
Source : https://10.x.x.x/feeds/phishing-url?v=panosurl
Referenced : Yes
Valid : Yes
Auth-Valid : Yes

Total valid entries : 2013
Total invalid entries : 59

Went through the entire text and did not find a string or consecutive wildcards together. Can't figure out why this would have recategorized pretty much every common domain as edl-phishing-sites. Thankfully I deny all traffic to those sites with my policy. We had a connectivity issue for about 5 minutes until I could back everything out. What a pita.

Re: Adding ?v=panosurl to MineMeld EDL brought down our entire network

Remo — Sun, 12 May 2019 23:14:22 GMT

Today I had the same issue and I think I found the reason. I have compared the lists with and without ?v=panosurl and I found some problems with different enties. Entries in minemeld like *domain.tld will be changed to *.tld after adding the parameter to the url. I also found a typo in a manually entered indicator. This one was *:acbay.com and was also changed to *.com after adding panosurl to the url ...

Re: Adding ?v=panosurl to MineMeld EDL brought down our entire network

craigomatic — Mon, 13 May 2019 16:04:20 GMT

So do you think there is an issue with the parser? What PANOS version are you running? I still have not moved forward in implementing due to the high risk/low payoff and there seems to be a question whether this is really happening. Sorry it happened to you but I'm also glad I'm not crazy.

Re: Adding ?v=panosurl to MineMeld EDL brought down our entire network

Remo — Mon, 13 May 2019 18:36:40 GMT

To me this definately is an issue in the parser. Even if "*abc.com" isn't a valid entry on a paloalto firewall, changing this to "*.com" cannot be right. In my opinion the best would be if ?v=panosurl does the same as a paloalto firewall does (in addition to removing http:// and https://), such entries should simply be ignored.

Re: Adding ?v=panosurl to MineMeld EDL brought down our entire network

datuttle — Mon, 01 Feb 2021 19:38:04 GMT

I had a similar experience where implementing the ?v=panosurl caused a huge spike in CPU on our PA5220s we couldn't commit configuration changes. I was kind of shocked that making what was recommended as a change would have such dire effects on our envorironment. Has anyone used it successfully? If not, do you have a work around to make edl ses feeds from minemeld usable for URL filetering?