10-04-2012 04:06 AM
Hello forum,
I am seeing traffic to a particular IP address from one computer that I know has been infected with a virus (we're busy getting rid of it). The connection is SSL and we are about to implement SSL decryption on our Palo, just not this second. The hoster of the IP address is Ecatel who are synonymous with with malwares. We have a valid license for threat, url, av which is uptodate on the box. I am wondering why it's not being blocked as dangerous even though our security profiles are basically set to block for anything 'medium' and higher. Because it's SSL it's not being categorised which isn't helpful - is that the reason why it's not being stopped? Brightcloud list it as unsafe. Any ideas of how to get a block on this that is more dynamic than just that one IP address (that might change) would be great.
Destination is 94.102.55.20
Can post more info if you need,
Thanks,
NC
10-04-2012 11:20 AM
Hi NC,
If you think the firewall did not capture a valid threat, you can submit a pcap from the client PC and the related traffic logs by opening a support ticket and we can hand it over to threat team for validation.
Also in the ticket description if you can give a brief description of threat.
Here is the document on how you to collect the data ( threat log details collection in the doc below would not apply in your case)
https://live.paloaltonetworks.com/docs/DOC-2769
Regards
Parth
10-04-2012 11:20 AM
Hi NC,
If you think the firewall did not capture a valid threat, you can submit a pcap from the client PC and the related traffic logs by opening a support ticket and we can hand it over to threat team for validation.
Also in the ticket description if you can give a brief description of threat.
Here is the document on how you to collect the data ( threat log details collection in the doc below would not apply in your case)
https://live.paloaltonetworks.com/docs/DOC-2769
Regards
Parth
10-04-2012 12:06 PM
You said that this is an SSL site. How are you trying to block this ? Are you using URL filtering to block malware-sites category ? If that is the case then we should be blocking it based on the SSL certificate common name. I also see that you are using the antivirus profiles to block this virus then you have to go for SSL decryption option. Please share some information on what is the website URL, how you are trying to block this (Antivirus or URL filtering).
Thanks,
Sandeep
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
