https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9831#M7218 <HTML><HEAD></HEAD><BODY><P>Hi Elliot,</P><P></P><P>I think firewall is not on latest content, please provide me output for</P><P>1. Show system info</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 27 Oct 2014 23:02:37 GMT hshah 2014-10-27T23:02:37Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9828#M7215 <HTML><HEAD></HEAD><BODY><P>I wanted to test detection of vulnerability 36815 on inbound traffic to the GlobalProtect portal. I'd received an email from PAN on 10/20 which suggested signature 36815 could be used to block attempted SSL 3.0 sessions including "GlobalProtect SSL VPN". I'll settle for detecting it, which should happen with the default or strict vulnerability protection policy.</P><P></P><P>So I tried creating a security policy that explicitly allows SSL to the ip address of the GP portal, with a profile that applies strict vulnerability protection.</P><P></P><P><SPAN>Now if I run the tool at </SPAN><A class="jive-link-external-small" href="https://www.ssllabs.com/ssltest" rel="nofollow">https://www.ssllabs.com/ssltest</A><SPAN> I can see the traffic in the monitor and I can verify that the rule matches the policy I created. But the test for SSLv3 by Qualys doesn't show up in the threat monitor.</SPAN></P></BODY></HTML> Mon, 27 Oct 2014 21:37:01 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9828#M7215 Elliot_Wilen 2014-10-27T21:37:01Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9829#M7216 <HTML><HEAD></HEAD><BODY><P>Hi Elliot,</P><P></P><P>SSLv3 vulnerability is covered in latest content. It should detect if rule has anti-vuln profile configured.</P><P></P><P>Refer following thread for more detail.</P><P><A href="https://live.paloaltonetworks.com/message/45826">Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 27 Oct 2014 22:15:53 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9829#M7216 hshah 2014-10-27T22:15:53Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9830#M7217 <HTML><HEAD></HEAD><BODY><P>Yes, if I enable, say, the strict vulnerability protection policy on outbound connections, the SSLv3 alert will fire when I access <A href="https://www.poodletest.com/" title="https://www.poodletest.com/">https://www.poodletest.com/</A> from my workstation inside the LAN.</P><P></P><P>If I point the tool mentioned above at my GlobalProtect portal, I agree that it <STRONG>should</STRONG> detect SSLv3. But it doesn't, even though the traffic is logged due to the security policy for ssl traffic to the GlobalProtect portal.</P></BODY></HTML> Mon, 27 Oct 2014 22:40:42 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9830#M7217 Elliot_Wilen 2014-10-27T22:40:42Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9831#M7218 <HTML><HEAD></HEAD><BODY><P>Hi Elliot,</P><P></P><P>I think firewall is not on latest content, please provide me output for</P><P>1. Show system info</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 27 Oct 2014 23:02:37 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9831#M7218 hshah 2014-10-27T23:02:37Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9832#M7219 <HTML><HEAD></HEAD><BODY><P>&gt; show system info</P><P></P><P>hostname: PA-5060</P><P>ip-address: 10.0.12.1</P><P>netmask: 255.255.252.0</P><P>default-gateway:</P><P>ipv6-address: unknown</P><P>ipv6-link-local-address: fe80::290:bff:fe1e:75ae/64</P><P>ipv6-default-gateway:</P><P>mac-address: 00:90:0b:1e:75:ae</P><P>time: Mon Oct 27 16:25:33 2014</P><P>uptime: 32 days, 0:14:15</P><P>family: 5000</P><P>model: PA-5060</P><P>serial: 0008C100420</P><P>sw-version: 6.0.5</P><P>global-protect-client-package-version: 2.0.4</P><P>app-version: 465-2419</P><P>app-release-date: 2014/10/23&nbsp; 09:15:45</P><P>av-version: 1401-1873</P><P>av-release-date: 2014/10/24&nbsp; 04:00:01</P><P>threat-version: 465-2419</P><P>threat-release-date: 2014/10/23&nbsp; 09:15:45</P><P>wildfire-version: 43176-49703</P><P>wildfire-release-date: 2014/10/26&nbsp; 06:29:02</P><P>url-filtering-version: 2014.10.24.806</P><P>global-protect-datafile-version: 1414396318</P><P>global-protect-datafile-release-date: 2014/10/27 07:51:58</P><P>logdb-version: 6.0.6</P><P>platform-family: 5000</P><P>logger_mode: False</P><P>vpn-disable-mode: off</P><P>operational-mode: normal</P><P>multi-vsys: off</P></BODY></HTML> Mon, 27 Oct 2014 23:26:16 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9832#M7219 Elliot_Wilen 2014-10-27T23:26:16Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9833#M7220 <HTML><HEAD></HEAD><BODY><P>The Vulnerability signature which is provided will not be applied to traffic destined to&nbsp; firewall</P><P></P><P>For example: people from DMZ are tried to manage firewall on firewall's DMZ interface, the signature will not be enough to identify ssl3, because content inspection is not applied when traffic is destined to firewall and not passing through the firewall. The same will apply to GP. we would not be able to identify this when SSL connection terminates on untrust interface of firewall</P><P></P><P>The work around while we wait for engineering is to host the GP on loopback. Because when the service is hosted on loopback (different zone). This will make packet pass though the CTD engine of firewall to detect vulnerability.</P><P></P><P>Regards</P><P>Sai</P></BODY></HTML> Fri, 31 Oct 2014 00:02:54 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9833#M7220 Sai_Tumuluri 2014-10-31T00:02:54Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9834#M7221 <HTML><HEAD></HEAD><BODY><P>I have tested this before in the lab that vulnerability profile applied to traffic destined to firewall does work for management but not GP (even if is on a loopback in a different zone).</P></BODY></HTML> Fri, 31 Oct 2014 02:12:25 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-apply-the-anti-poodle-sslv3-threat-detection-to/m-p/9834#M7221 shyo 2014-10-31T02:12:25Z