Community Blog

Wall's Week - December 19th, 2018

by kwall00 on ‎12-19-2018 09:39 PM - last edited on ‎12-26-2018 07:55 AM by (733 Views)

Read about a new technical certificate (PCCSA), the new Unit42 Threat Intelligence Portal, an App and Content Update, Aperture Trail Feature, using Wireshark, and GlobalProtect Custom Reports. Palo Alto Networks Live Community is dedicated to providing the answers to your questions to your answers.

 

 

Summary

App and Content Update #8101

New Aperture Trial Feature

New Technical Certification - PCCSA

New Unit42 Threat Intelligence Portal

TIP: Adding Search Keywords to Chrome

TIP: Using Wireshark to Capture HTTP GET Requests

TIP: Custom Report for Top GlobalProtect Users

 

 

App and Content Update #8101

Beginning with content release 8101, Applications and Threats content updates enable firewalls running a PAN-OS 8.1.x release to forward three script samples—Jscript (.js), VBScript (.vbs), and PowerShell script (.ps1)—to the WildFire cloud for analysis. If your WildFire profiles are currently configured to forward Any file types, you will not need to make any additional changes as they will automatically be included.

 

Also, beginning with the content update that will release on January 3rd, the JAR file type will now be included in the “Block all risky file types” rule. This is the pre-defined rule labeled, “strict file blocking” within the File Blocking Profiles. For those of you who are using this pre-defined file blocking policy, you will not need to make additional changes as JAR will now automatically be included.  

 

 

New Aperture Trial Feature

For customers who have data residing in SaaS applications (O365, OneDrive, GitHub, Yammer, SalesForce, Slack, etc), you now have the ability to trial Aperture on your own. An Aperture trial may now be launched directly from the Palo Alto Networks Customer Support Portal. Note that this is something you can do one time, as multiple trials are not allowed. The trial duration is for 60 days. For step-by-step instructions, see this blog by @jdelio.

 

As a reminder, Aperture is our 100% SaaS-based tool that performs the following security tasks for many of your more common SaaS applications:

  • Scans all content and checks for malware through WildFire (included)
  • Inspects each file and classifies it (PCI, PII, Legal, Health, Source Code, etc)
  • Examines any shared properties (is it shared to users external to the corporate domain, etc)
  • Remediates – in the case of malware, quarantine it, for shared property violations, those properties may be removed, or email the data owner, etc.

 

There are more functions Aperture can perform such as keeping an eye on who is uploading or downloading massive amounts of files or what countries are accessing your corporate data and much more.

 

 

New Technical Certification - PCCSA

Palo Alto Networks Certified Cybersecurity Associate (PCCSA) is the new certification offered to customers as a part of the certification framework. The certification is intended to validate knowledge of the latest technology to manage cyberthreats. Prep courses are available in the Palo Alto Networks learning center. Here are the new courses:

  • Cybersecurity Foundation Course
  • Cybersecurity Network Security Essentials Course
  • Cybersecurity Gateway (Networking Fundamentals) Course
  • Cybersecurity Survival Guide
  • Introduction to Cybersecurity
  • Practice PCCSA Test

 

Click here for the learning portal registration page.

 

 

New Unit42 Threat Intelligence Portal

Unit42 is our threat intelligence research organization and has a new landing page – check it out here! You will find adversary playbooks, threat briefs, reports, and threat intelligence to help your security team defend the organization. You can also subscribe to the Unit42 newsletter here and follow them on social media. Along those lines, you can find the Unit42 iTunes podcast here.

 

 

TIP: Adding Search Keywords to Chrome

Chrome allows the use of a shortcut (keyword) in the URL bar to help quickly locate data. The keyword must be defined, of course, along with a base URI. For example, I want to search https://support.paloaltonetworks.com for the string, "Magnifier Overview" using the shortcut keyword “ps” for Palo Alto Networks Support. To do so, I would simply type in the URL bar: “ps Magnifier Overview” and Chrome would take me to the Support site and automatically search for the string in question.

 

To configure a shortcut keyword,

  • go to Settings within Chrome
  • under Search engine, select Manage search engines
  • Scroll to Other search engines and click the Add button.
  • Provide your shortcut a name, and for the keyword use something short and memorable.
    For example, I used "ps" as a keyword to search the Palo Alto Networks Support site. For the URL field, enter the URL + URI up to the point just before a search string would appear.  In my example, I used https://support.paloaltonetworks.com/search#q=
  • At the end of the URL/URI add “%s” and save the entry. The final URL/URI would look like this: https://support.paloaltonetworks.com/search#q=%s
  • Now open a tab, go to the URL field and enter the keyword + a search string to have the shortcut fire off a search on the Support site: ps Magnifier Overview

 

You’ll notice that as soon as you enter the shortcut ps, Chrome will expand it to the description you entered when creating the shortcut. A few other shortcuts that I use are:

 

 

TIP: Using Wireshark to Capture HTTP GET Requests

There are times when it is necessary to use a capture filter in Wireshark (or TCPDUMP) to get specific information. Let’s say you wanted to capture HTTP GET requests only. You can use the following filter:

  • port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

 

The filter looks for the letters “G” “E” “T” “  “ just after the TCP header. Modify the syntax to limit the capture to other specific information.

 

 

TIP: Custom Report for Top GlobalProtect Users

GlobalProtect, for those who may not know, is our Endpoint agent for establishing IPSec and/or SSL tunnels. For those of you who are utilizing this feature, have you ever wondered who your top GlobalProtect users are? This is easily accomplished through a custom report. In this example, I’ll show you how to create a report of your top 25 GlobalProtect users over the past hour. Of course, you can modify the parameters to fit your needs.

 

Step 1: Identify the tunnel on which to report. Go to Network > Interfaces > Tunnels. Note the tunnel name upon which your remote clients terminate (i.e., tunnel.1, tunnel.2, tunnel.100, etc).

 

Step 2: Create the report. Go to Monitor > Manage Custom Reports > Add. Give the report a name such as, Top GlobalProtect Users. For the Database, select Detailed Logs > Traffic. In the Selected Columns, add the following fields:

  • Source User
  • Bytes
  • Count
  • Elapsed Time (sec)

  

For the time frame, select Last Hour. To define how you want to quantify top GlobalProtect users, select one of the following:

  • Bytes – to determine top users by bandwidth
  • Count – to determine top users by number of log entries
  • Elapsed Time (sec) – to determine top users by total time of sessions

 

To specify how many users you want to identify, select Top 25 in the second box to the right of Sort By. In the Query Builder, add your tunnel interface in the format of:

  • (interface.src eq tunnel1) and (user.src neq ‘’)
    • Note the null sequence, ‘’, is two single quote characters

 

Save your changes. Select “Run Now” to see the report.

Ask Questions Get Answers Join the Live Community
Labels