Management Articles

Featured Article
Details This document is designed to help verify if the DNS Sinkhole function is working properly through a Palo Alto Networks firewall. The following 2 scenarios are covered: Client Using External DNS Server Client Using Internal DNS Server   DNS Sinkhole Configuration For information on How to Configure DNS Sinkhole, please see: How to Configure DNS Sinkhole   Also, we have a Video Tutorial on How to Configure DNS Sinkhole: Video Tutorial: How to Configure DNS Sinkhole   Client Using External DNS Server Note: DNS Sinkhole IP must be in the path of the firewall and the client so you can see logs from it. For example, the Palo Alto Networks firewall sits between an infected client and the data center, but it does not see the internet. In this scenario, if DNS Sinkhole is configured with an internet IP, then the firewall will never see the infected client trying to reach its command & control server.   When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client system is using an external DNS server, the DNS query from the client will go through the Palo Alto Networks firewall to the external DNS server (client and DNS server are in different subnets). As expected, the user should be able to see threat logs with the client IP address as a source. The user is trying to access a malicious website. The client system will send the DNS query to an external DNS server to get the IP address of the malicious website. The firewall will receive the DNS query directly from the client system. The  firewall will hijack the DNS query and will give a DNS sinkhole IP address to the client and should be able to see the threat logs with client IP address as a source. Client TCP/IP Properties Configuration Review the following config example:   Threat Logs When using an external DNS server, Threat logs show the Client IP address "192.168.27.192" as a source that is trying to access a malicious website:     Client Output When Using External DNS Server $ nslookup 79fe3m5f4nx8c1.pmr.cc Server:        195.130.131.4 Address:    195.130.131.4#53 Non-authoritative answer: Name:    79fe3m5f4nx8c1.pmr.cc Address: 72.5.65.111 The screenshot above shows a host machine 192.168.27.192 performing a DNS request for "79fe3m5f4nx8c1.pmr.cc" (a suspicious URL) and the response being 72.5.65.111. Thus showing that the DNS Sinkhole is working as desired.   Client Using Internal DNS Server If a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source.   Currently, the Palo Alto Networks firewall cannot identify which end client is trying to access a malicious website with the help of the threat logs, because all threat logs will have the internal DNS server IP address as a source. However, the firewall should be able to determine the end client IP address with the help of traffic logs.   Below is an example where the user is trying to access a malicious website. The client system will send the DNS query to an internal DNS server to acquire the IP address of the malicious website. Here, the internal DNS server will forward the DNS query to an external DNS server. The firewall will receive a DNS query from the internal DNS server.   The firewall will hijack the DNS query and give the DNS sinkhole IP address to the Internal DNS server. The internal DNS server will forward the response to the client system and the user should be able to see threat logs with Internal DNS server IP address as a source. However, Palo Alto Networks firewall should able to see client IP address in the traffic logs because client will try to access that website with DNS sinkhole IP address, as shown in the following screenshot:   Client TCP/IP Properties Configuration     Threat Logs In threat logs, the firewall shows only the internal DNS server IP address "10.50.240.101" as a source, because the client system is using the internal DNS server IP. Here the firewall is not able to determine which end client is trying to access that website.     Traffic Logs However, as soon as client get the IP address from DNS server, it will generate traffic towards the sinkhole IP address(72.5.65.111). Therefore, the firewall will show the end client IP address "192.168.27.192" in traffic logs, as shown below:     Client Output When Using Internal DNS Server $ nslookup 4cdf1kuvlgl5zpb9.pmr.cc Server:        192.168.27.189 Address:    192.168.27.189#53 Non-authoritative answer: Name:    4cdf1kuvlgl5zpb9.pmr.cc Address: 72.5.65.111 The screenshot above shows a host machine 192.168.27.192 performing a DNS request for 4cdf1kuvlgl5zpb9.pmr.cc (a suspicious URL) with the response of 72.5.65.111. This verifies that the DNS Sinkhole is working as desired.   See Also How to Deal with Conficker using DNS Sinkhole Where to get suspicious DNS query for testing DNS Sinkhole   For Video Tutorials on DNS Sinkhole, please see: Video Tutorial: How to Configure DNS Sinkhole Video Tutorial: How to Verify DNS Sinkhole   owner: sbabu
View full article
sbabu ‎04-03-2018 12:26 PM
64,655 Views
8 Replies
Overview This document describes the steps to add an Exempt IP address for a specific threat.   Steps Navigate to Monitor > Logs > Threat Click on the target threat name. This is the threat for which the exempt IP addresses are to be added. Make sure there is a vulnerability profile associated with a security policy. In this example, the 'test123' vulnerability profile has been applied. At this point, check the box to highlight the profile and add the IP address (as shown in the image below). Click OK. Note: The IP address can be the Victim or Attacker (source address or destination address ) as shown in the following logs. Confirm the updates by going to the vulnerability profile and clicking on the exceptions tab. From there, click on the 'IP Address Exemptions" applet, as shown below, to verify the changes. After you verified changes and confirmed IP addresses of hosts are entered correctly, click OK, OK, and Commit this change to Firewall. From now on, traffic to hosts behind IP address(es) added to the list of Exempt IP addresses will not trigger this vulnerability in this security rule. Traffic to all other IP addresses, or traffic hitting different security rule, will still trigger vulnerability action as defined in that security policy.
View full article
gswcowboy ‎11-15-2017 12:33 PM
32,951 Views
16 Replies
3 Likes
Object You have a list of web sites that you want to check the categories recognized by PAN-DB (or BrightCloud). It's not ideal to check the categories on Test-A-site (https://urlfiltering.paloaltonetworks.com) or on BrightCloud URL/IP lookup page (http://www.brightcloud.com/tools/url-ip-lookup.php) one by one when there are too many sites to check.   Solution The firewall CLI accepts multiple lines of commands at one time. So, this can be achieved by following steps.   Create a text file that contains the list of "test url <url>" commands. test url www.paloaltonetworks.com test url www.google.com   (Optional) Switch URL filtering database as needed. > set system setting url-database <paloaltonetworks or brightcloud> https://live.paloaltonetworks.com/t5/Learning-Articles/PAN-DB-URL-Filtering-CLI-Command-Reference/ta-p/61598 Copy & paste entire text onto firewall CLI. > test url www.paloaltonetworks.com   www.paloaltonetworks.com computer-and-internet-info (Base db) expires in 24000 seconds www.paloaltonetworks.com computer-and-internet-info (Cloud db)   > test url www.google.com   www.google.com search-engines (Base db) expires in 0 seconds www.google.com search-engines (Cloud db) :   Object Obtaining the list of Threat Names for a certain range of Threat ID.   Solution Create a text file that contains the list of "show threat id <id>" commands. show threat id 3800000 show threat id 3800001 : In order to create such text, following script can be used. #!/bin/bash   for i in {3800000..3804000} do     echo 'show threat id '${i} >> command_list.txt done The Threat ID range can be found in the following article. https://live.paloaltonetworks.com/t5/Threat-Articles/Threat-ID-Ranges-in-the-Palo-Alto-Networks-Content-Database/ta-p/59969   Copy & paste entire text onto firewall CLI.  > show threat id 3800000   unknown spyware   > show threat id 3800001   This signature detected generic:geik.ddns[.]net   medium :   Additional Tips The list of commands for packet-diag can be saved as a text and executed in the same way. https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390
View full article
ymiyashita ‎11-15-2017 12:15 PM
4,635 Views
0 Replies
2 Likes
A new category has been added to URL Filtering. This new category will be “command-and-control” to further break out specifics from within the malware category. Check out this FAQ about the new category.
View full article
‎10-24-2017 09:37 AM
31,640 Views
19 Replies
6 Likes
Question Why are some antivirus/wildfire signatures for malicious flash/swf only detected with firewall running PAN-OS 7.1 or later? Earlier PAN-OS firewalls do not detect the same file even though the correct antvirus/wildfire content is installed and the appropriate antivirus profile is configured. Answer Some malicious SWF flash files use LZMA compression (ZWS).  Firewalls must be running PAN-OS 7.1 or later to support inspection and protection against this type of SWF file.   https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-release-information/content-inspection-features      To check which antivirus signature is the malicious SWF ZWS file:   - In PAN-OS 7.1, threat ID is between 6,000,000 - 6,000,500 or 6,200,000 - 6,200,500  - In PAN-OS 8.0 or later, first check the signature file hash from https://threatvault.paloaltonetworks.com (a valid support login account is required) by searching either threat name or unique threat ID. Then do a second search with signature file hash and note the file type, whether it is SWF ZWS.    
View full article
spiromruen ‎09-06-2017 05:22 AM
2,976 Views
0 Replies
This document describes how to use Anti-Spyware, Vulnerability Protection, and Antivirus Exceptions to change actions for specific threats on Palo Alto Networks firewalls.     Anti-Spyware or Vulnerability Protection Exceptions For example: Add an Anti-Spyware Exception for threat ID #30003 to an existing profile named "Threat_exception_test_profile" Go to Objects > Security Profiles > 'Anti-Spyware' or 'Vulnerability Protection' Select the existing profile click the "Exceptions" tab. First, check the "Show all signatures" checkbox at the lower left hand part of the profile window. In the search field, enter a string as "( ex. 'microsoft' )" or simply enter the threat ID number itself (ex. 30003). Press enter or click the green arrow to initiate the search. Note: If the signature being searched for was just applied in the latest dynamic update operation and it is not being returned in the search results, log out of the Web UI and then log back in to clear the GUI cache. The results will return "Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability" (which is threat ID #30003). Note: Threat IDs can be easily determined from the threat logs. To enable this exception, check the 'Enable' box change the default 'Action' value to handle the non-excluded traffic. To allow the traffic, select Allow, or to drop the traffic select Drop. Threat Action detail - change default action. Use the IP Address Exemptions column to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature will only be taken over the rule's action if the signature is triggered by a session having either the source or destination IP matching an IP in the exception. You can add up to 100 IP addresses per signature. With this option, you do not have to create a new policy rule and new vulnerability profile to create an exception for a specific IP address.  In order to exclude certain IP addresses, and not all traffic, please click on the blank under "IP Address Exemptions", click Add at the bottom, and then add up to 100 IP's as you want into the list.  IP Address Exemption detail. Make sure that Anti-Spyware and or Vulnerability Protection profiles are applied to the appropriate security policies. Commit changes to enable the Exception.    Antivirus Exceptions For example, to add an antivirus exception for threat ID #253879 to an existing profile named "AV_exception_test_profile": (Note: Be aware that if you exclude a Virus from bring checked against, this is all or nothing, you cannot exclude just an IP from this protection, it would be all that is allowed on that rule/antivirus policy). Go to Objects > Security Profiles > Antivirus. In the existing the profile, click on the Virus Exception tab. Enter the ID value (for this example, 253879 ) into the Threat Id field at the bottom of the page, and click Add. Note: The threat id can be determined from the threat logs. For this example, an exception for "Win32/Virus.Generic.koszy" is created. AntiVirus - Virus Excemption window detail. Make sure that Antivirus profiles are applied to the appropriate security policies. There is no option to exclude just certain IP addresses with an AntiVirus Exception. Commit the changes to make this take affect.   owner: kadak
View full article
kadak ‎07-14-2017 04:19 AM
26,761 Views
3 Replies
1 Like
Question Why is my botnet report not working?     In some instances, a botnet report may fail to generate on a device. This can be verified by the following factors.   Botnet reports are not available for selection in bold on the report calendar located within Monitor > Botnet > Date In mp-log > botnet.log content is not loaded In mp-log > botnet.log the progress_file is empty In mp-log > botnet.log the following error is returned:  failed: cannot open file /opt/pancfg/mgmt/av/botnet.db Answer Several factors can prevent successful generation of the botnet report.   Botnet reports have not been configured. No URL Filtering logs are present with a category of "malware".  These are necessary for botnet report correlation. There is no active AV content installed on the device.** The device does not have an active Threat Prevention (AV) license.** ** In scenarios 3 & 4 the following error will be present in mp-log > botnet.log: failed: cannot open file /opt/pancfg/mgmt/av/botnet.db   The botnet.db (database) file is downloaded as part of Antivirus (AV) dynamic updates.  Without a valid Threat license or AV content on the device it is not possible to download the botnet.db file.  Therefore, one will not be able to successfully run or generate the botnet report.
View full article
bvandivier ‎03-31-2017 01:41 PM
2,995 Views
0 Replies
WildFire  is a cloud-based service that integrates with the Palo Alto Firewall and provides detection and prevention of malware. Pre PAN-OS 7.0 In PAN-OS version 6.0 and 6.1, WildFire is configured as a File Blocking Profile   PAN-OS 7.0 + Starting with PAN-OS 7.0, WildFire is configured as a WildFire Analysis Profile and can then be applied to a security policy that matches the traffic that needs to be analysed.     In a security policy: Security Policy Rule with WildFire configured. Please make sure if the security policy is more strict to verify if the application paloalto-wildfire-cloud will be allowed outbound from the management interface to the internet. The application may need to be added to the existing service policy containing paloalto-updates and such services, or an additional Service Route needs to be added to bind wildfire-cloud to the external interface     WildFire can be set up as a File Blocking profile with the following Actions Forward: The file is automatically sent to "WildFire" cloud. Continue and Forward: The user will get a "continue" action before the download and the information will be forwarded to the WildFire. Since PAN-OS 7.0 the continue action can still be set in a File Blocking profile, the WildFire Analysis can simply be set to send to the public-cloud, or if a WF-500 appliance is available, to the private-cloud   A file type determined in the WildFire configuration is matched by the WildFire cloud. Palo Alto Networks firewalls compute the hash of the file and send only the computed hash to the WildFire cloud; in the cloud the hash is compared with the hash on the firewall. If the hash does not match it is uploaded and inspected and the file details can be viewed on the WildFire portal (https://wildfire.paloaltonetworks.com/) A file can also be manually uploaded to the WildFire portal for analysis.   WildFire Testing/Monitoring: In order to ensure the management port is able to communicate with the WildFire we can use the "test wildfire registration" command in the CLI. > test wildfire registration This test may take a few minutes to finish. Do you want to continue? (y or n) Test wildfire         wildfire registration:        successful         download server list:          successful         select the best server:        va-s1.wildfire.paloaltonetworks.com The device will only register to the WildFire cloud if a valid WildFire license is present.   The commands below can also be used to verify WildFire operation:  > show wildfire status Connection info: Signature verification: enable Server selection: enable File cache: enable WildFire Public Cloud: Server address: wildfire.paloaltonetworks.com Status: Idle Best server: eu-west-1.wildfire.paloaltonetworks.com Device registered: yes Through a proxy: no Valid wildfire license: yes Service route IP address: File size limit info: pe 2 MB apk 10 MB pdf 200 KB ms-office 500 KB jar 1 MB flash 5 MB ... cut for brevity > show wildfire statistics Packet based counters: Total msg rcvd: 1310 Total bytes rcvd: 1424965 Total msg read: 1310 Total bytes read: 1393525 ... cut for brevity > show wildfire cloud-info Public Cloud channel info: Cloud server type: wildfire cloud Supported file types: jar flash ms-office pe pdf apk email-link   The WildFire Submissions logs provide details post a WildFire action: wildfire-upload-success: The file was succesfully uploaded to the WildFire cloud wildfire-upload-skip: The WildFire cloud has already seen the file, thus the file is not uploaded to the WildFire cloud. If the file is "Benign", no entry is seen on the WildFire portal.       Regardless if the file is uploaded or has already been analysed in the past and was not uploaded, the log entry will be populated with the WildFire report for this sha256. In case the file has recently been uploaded, the WildFire analysis may not have been completed yet in which case the report will not yet be available:                                      owner: tpiens  
View full article
nagarkar ‎10-17-2016 02:13 PM
122,291 Views
15 Replies
2 Likes
Data Filtering logs are part of the Informational Threat Logs.   1. Create 3 files with credit card information.   5376-4698-9386-4886 5564-8017-1758-1316 5464-9730-1302-5263 5257-2750-0534-2578 5564-9616-5310-6823 5483-3128-3984-7229 5352-9543-2663-9003 5130-0484-5710-3076 5210-3641-5712-1745 5559-4615-4452-4711 (1 text file with 10 credit card numbers)   5376-4698-9386-4886 5564-8017-1758-1316 (another text file with 2 credit card numbers)   5376-4698-9386-4886 5564-8017-1758-1316 5559-4615-4452-4711 (another text file with 3 credit card numbers)   I have set the CC weight to 1 and set alert level to 3 and block to 6.   For Configuring Data Filtering Profile, go to Objects_Tab > Security_Profiles > Data_Filtering:   For Configuring Data Filtering Pattern, go to Objects_Tab > Custom_Objects > Data_Patterns: So when I sent these files through FTP, we got the following results:   +1st file, I get reset both on Data Filtering logs. +2nd file, I did not get any alerts. +3rd file, I got an alert on Data Filtering logs.    
View full article
michandras ‎10-03-2016 05:31 PM
3,647 Views
0 Replies
Symptoms When you navigate to Device > Setup > Management > Logging and Reporting settings, there is no provision to set the log quota for URL filtering logs.   Diagnosis URL filtering log database is a part of the threat database. Solution Because URL filtering log database is a part of the threat database, you could modify the threat log storage quota, based on your requirements. This would modify the quota for both the threat and URL filtering logs.
View full article
rchougale ‎06-22-2016 03:45 PM
2,527 Views
5 Replies
Looking for X-Forwarded-For for User-ID? It is Here!
View full article
pbalasunda ‎01-18-2016 07:12 AM
11,781 Views
4 Replies
1 Like
This document explains the different actions available for vulnerability profiles. Actions can be specified for each rule in a security profile and for specific threat ID exceptions .   Action Type Action Where Action Details Default Pre-defined action based upon severity Rule Apply pre-defined action that is selected for each threat Allow Allow session, but do not log in Threat Log Rule This enables one to create an exception for an event so that there is no entry in the Threat Log Alert Allow session, log in Threat Log Rule This enables the logging for all threats, regardless of severity Block Drop all packets for that session Rule Drop that packet. Note that TCP will try to retransmit the packet again, which we will drop again. So essentially, the entire session is blocked for all practical purposes. reset-server Send RST packet to server Exception Drop the packet and send a TCP reset towards server side of TCP connection reset-both Send RST packet to both Exception Drop the packet and send a TCP reset to both client and server reset-client Send RST packet to client Exception Drop the packet and send a TCP reset towards client side of TCP connection drop-all-packets Drop all packets for that session Exception Drop all packets for that session drop Drop just that packet Exception Drop that packet. Note that TCP will try to retransmit the packet again, which we will drop again. So essentially, the entire session is blocked for all practical purposes. block-ip Drop all packets from a source IP address Exception Block all sessions for a specified period of time from a source IP address.   *The word session is used as a reference to the firewall table when the protocol is UDP.   *Action recorded in Threat log may be different from Default Action definition of each threat signature depending on the protocol. For example, "Drop-all-packets" is recorded in Action field for TCP sessions and "Drop" will be recorded for UDP sessions while "drop" is set in the security profile.   owner: jjosephs    
View full article
nrice ‎11-10-2015 01:44 AM
23,658 Views
4 Replies
1 Like
This week's Tips & Tricks looks at the Application Command Center, (ACC), which provides visibility into the network traffic passing through your firewall. The ACC is sometimes overlooked inside the WebGUI, but it is a very powerful tool to help you manage and see the traffic flowing through your network.   Note: I'll be showing you about the ACC on PAN-OS 5.0, 6.0 and 6.1. PAN-OS 7.0 changes the look and feel of the interface, which I will cover in a different segment of Tips & Tricks.   In order to learn more about the ACC, we'll explore the following areas: What is the Application Command Center (ACC)? Parts of the Application Command Center (ACC) and how to get more information from the ACC   What is the Application Command Center (ACC)? The Application Command Center (ACC) page visually depicts trends and a historic view of traffic on your network. It displays the overall risk level for all network traffic, the risk levels and number of threats detected for the most active and highest-risk applications on your network, and the number of threats detected from the busiest application categories and from all applications at each risk level. The ACC can be viewed for the past hour, day, week, month, or any custom-defined time frame. Risk levels (1=lowest to 5=highest) indicate the application’s relative security risk, based on criteria such as whether the application can share files, is prone to misuse, or tries to evade firewalls. Parts of the Application Command Center (ACC) and how to get more information from the ACC   We will start with the Dashboard tab:   ACC Risk Factor Inside the WebGUI, on the Dashboard tab, you'll see ACC Risk Factor. This information shows the risk factor over the last 60 minutes based upon information inside the ACC tab.   This is a general 'threat temperature' of the traffic. If you find it higher than normal, then you can use the main ACC to drill down and investigate what is causing the temperature to be higher than normal.   If you'd like to see this, and it is not being displayed on your Dashboard page, enable it from the Dashboard > Widgets > Application > ACC Risk Factor.   Top Applications You also will see the 'Top Applications' if you have enabled this widget. This widget displays the applications with the most sessions. The block size indicates the relative number of sessions (mouse-over the block to view the number), and the color indicates the security risk—from green (lowest) to red (highest). Click an application to view its application information, as well as a full breakdown where that application has been seen inside the ACC page.   This is a great way to see the applications in use at a glance. If you would like to see this, it can be enabled from the Dashboard > Widgets > Application > Top Applications.   Now let's move on to the ACC tab: On the ACC tab, you will see the following sections that make up the Application Command Center: Time/Sort By/Top (at the top of the window) Application  URL Filtering Threat Prevention Data Filtering HIP Matches   1. Time/Sort By/Top At the top of the window, you'll see the Time/Sort By/Top options. This controls the all the display options inside the ACC.   Time — You have options for the time that range from the last 15 minutes until the Last Calendar Month and even a Custom option. The default is Last Hour. Sort By — You can sort the charts in descending order by number of sessions, bytes, or threats. The default is by number of sessions. Top — You have an option for the 'Top' number to be displayed per section. This ranges from 5 up to 500. The Default is 25. Press the green arrow to make your selection take effect. Lastly, the green plus sign is a Set Filter option you can apply that allows you to filter bt Application, Source or Destination IP, Source or Destination User, Machine Name, HIP, Source or Destination Zone, Risk and URL Category. Note: There are 2 other parts of the ACC that I didn't document with a screen shot —t hey are as follows: Virtual System — If virtual systems are defined, you can select it from this drop down. Data Source (for Panorama only) — Select the Data Source that is used to generate the graphical display on traffic trends.The default Data Source for new installations is Panorama; Panorama uses the logs forwarded by the managed devices. To fetch and display an aggregated view of the data from the managed devices, you now have to switch the source from Panorama to Remote Device Data.  On an upgrade, the default data source is Remote Device Data. Adding a filter comes in handy if you are looking for specific traffic.   Note: You'll also see the same ACC Risk Factor in the upper right, as well as a set of 5 icons.   The icons are shortcuts to logs, in the following order: Traffic Log Threat Logs URL Filtering Log Data Filtering Log HIP Match Log These shortcuts come in handy when you would like to jump straight to the Threat logs, but do not want to click on Monitor > Threat logs.   2. Application   The first section you'll see is the Application section.   This section displays information organized according to the menu selection. Information includes the number of sessions, bytes transmitted and received, number of threats, application category, application subcategories, application technology, and risk level, as applicable. The following subcategories are available by using the drop-down on the right side: Applications High Risk Applications Categories Sub Categories Technology Risk This is the section where you can start to investigate questionable traffic as it passes through your network, in or out. By clicking on the Application name, or using the drop-down to look at the Application data differently.   For example, let's say that 'msrpc' traffic is high, and you want to know more about this traffic. Simply click on msrpc and you will see the following: Application Information — general information about the application, including its Name, Description, and all other information specifically for this application and how it communicates. Top Applications—shows session and bytes information Top Sources Top Destinations Top Source Countries Top Destination Countries Top Security Rules Top Ingress Zones Top Egress Zones URL Filtering Threat Prevention Data Filtering You can continue to click on each area to get more detailed information. Sometimes the information you need is only one click down—more involved investigations might take make more drill-downs to get the information you need.   3. URL Filtering Displays information organized according to the menu selection. Information includes the URL, URL category, repeat count (number of times access was attempted, as applicable). URL Categories URLs Blocked URL Categories Blocked URLs This is a great way to see what URL filtering categories are being used.   4. Threat Prevention Displays information organized according to the menu selection. Information includes threat ID, count (number of occurrences), number of sessions, and subtype (such as vulnerability), as applicable. The following sections are available: Threats Types Spyware Spyware Phone Home Spyware Download Vulnerabilities Viruses If you want to know about Threat Prevention, you'll really appreciate this section and the information it can show you.   5. Data Filtering Displays data from the data filtering policy that has been created. The following sections are available: Content/File Types Types File Names If you use data filtering, this comes in handy to quickly show how many files are created and the repeat count of each type.   6. HIP Matches This area displays Host Information Protocol information gathered from GlobalProtect. The following sections are available: • HIP Objects • HIP Profiles   If you're using HIP with GlobalProtect, then this area can prove very helpful.      I hope this Tips & Tricks article has helped you understand the Application Command Center better, as well as provide you with some insight into better ways to access and use the information in the ACC.   As always, we welcome all feedback and suggestions and we're happy to take requests for future Tips & Tricks —leave a  comment below.   Stay secure, Joe Delio  
View full article
‎10-30-2015 02:35 PM
24,435 Views
8 Replies
4 Likes
Overview This document describes the CLI commands to view threat pcaps from the command line.   Details On PAN-OS 5.0 Use the following command to view the threat pcap: > view-pcap threat-pcap <YYYYMMDD/filename>   For example: > view-pcap threat-pcap 20140409/1397072093-4.pcap reading from file /opt/panlogs/session/pan/threat/20140409/1397072093-4.pcap, link-type EN10MB (Ethernet) 14:34:53.000000 IP do.enud.com.51395 > videoconfqa.americas.privatebank.citibank.com.https: . 2077219116:2077219151(35) ack 2127480772 win 15544 <nop,nop,timestamp 1979064663 1471899244> 14:34:53.000000 IP videoconfqa.americas.privatebank.citibank.com.https > do.enud.com.51395: . 4244705606:4244705641(35) ack 50261656 win 15 544 <nop,nop,timestamp 1979064663 1471899244> 14:34:53.000000 IP videoconfqa.americas.privatebank.citibank.com.https > do.enud.com.51395: . 4244705641:4244707089(1448) ack 50261656 win 15544 <nop,nop,timestamp 1979064663 1471899244>   If the filename is not specified, the output will fail with this error: "tcpdump: error reading dump file: Is a directory" > view-pcap threat-pcap 20140409 tcpdump: error reading dump file: Is a directory   On PAN-OS 6.0 and later Use the following command: > view-pcap threat * search-time      Datetime YYYY/MM/DD hh:mm:ss (e.g. "2006/08/01 10:00:00") * threat-pcap-id   pcap id   For example: > view-pcap threat threat-pcap-id 1199947415466016771 search-time "2014/05/30 17:50:00" Generating pcap files... 17:50:06.000000 IP truncated-ip - 6 bytes missing! 192.168.20.1.48092 > 10.10.21.44.http: P 370312602:370313010(408) ack 3732408167 win 256   If one of the parameters is left out, an "Invalid syntax" error will be displayed: > view-pcap threat search-time "2014/05/30 17:50:00" Invalid syntax.   > view-pcap threat threat-pcap-id 1199947415466016771 Invalid syntax.   Note: The threat pcap id can be obtained from threat log detail on the web UI:   owner: sdarapuneni
View full article
zarina ‎09-07-2015 07:13 AM
4,052 Views
0 Replies
Issue When committing, the following warning messages appears: Warning: No valid threat content package exists Warning: No valid Antivirus content package exists For example, Cause Even though there might be a valid threat and app license, the content may not be installed on the Palo Alto Networks firewall yet. Resolution From the WebGUI, go to Device > Dynamic Updates and click "Check now". After the new update is listed, download and install it. owner: cramirez
View full article
cramirez ‎09-30-2014 02:00 PM
13,696 Views
3 Replies
1 Like
Overview LAND attacks can occur when an administrator configures destination translation for a DMZ zone server and source translation for Trust zone users with same public IP address. When traffic from internal LAN to the firewall public IP address source translation will be applied and dropped by the Palo Alto Networks firewall, which is considered to be a LAND attack. Details Shown below is the scenario where traffic can be dropped due to a LAND attack. Traffic initiated from the "Trust_L3" zone to the internet will use source translation. The traffic initiated from the public network (Untrust_L3) to the web server (200.1.1.1) will use destination translation. Here is the NAT configuration for the above scenario. Traffic from an internal zone (Trust_L3) to the firewall public IP address (200.1.1.1) will hit the source NAT rule, which will cause a source translation to be applied to the traffic. The source will be translated to the public IP of the firewall and the firewall will immediately drop this traffic because it will be considered a LAND attack. The firewall would see this traffic as the same source and destination IP address. Resolution To confirm that traffic is being dropped due to a LAND attack, run the following command. This command verifies counters, specifically the drop counters. A filter can be configured with a specific source and destination IP address and applied to global counters to get the specific outputs, as shown below. After setting the filters and initiating the "Ping" traffic to the firewall public IP from internal LAN, follow the below command to check for the drops due to LAND attack. > show counter global filter packet-filter yes delta yes severity drop Global counters: Elapsed time since last sampling: 17.60  seconds name                     value     rate severity  category  aspect    description --------------------------------------------------------------------------------- flow_policy_nat_land      3         0   drop      flow      session   Session setup: source NAT IP allocation result in LAND attack --------------------------------------------------------------------------------- Total counters shown: 1 --------------------------------------------------------------------------------- Resolution Create a "No NAT" rule for traffic from internal LAN (Trust_L3) to the firewall IP address (200.1.1.1), as shown below. Traffic from the internal LAN Trust_L3 to the firewall IP address (200.1.1.1) will hit the "No NAT" rule and not be subject to NAT translation. owner: sbabu
View full article
sbabu ‎09-27-2014 02:50 PM
7,431 Views
0 Replies
1 Like
Overview This document describes how to configure the Palo Alto Networks firewall to block all HTTP POST requests. Steps Create a custom vulnerability signature, as shown below: Create a security policy with vulnerability scanning enabled. Note: To block HTTP POST for HTTPS traffic, make sure to use SSL Decryption policies. owner: rvanderveken
View full article
rvanderveken ‎07-19-2013 02:19 AM
6,770 Views
1 Reply
Issue Unable to use SSHv2 to any Layer 3 interfaces on a Palo Alto Networks device even if Management Profile is configured to allow SSH access. Cause The issue may be caused by having Vulnerability Protection enabled with the "Block" action in a Security Policy. To confirm, go to Monitor > Logs > Threat. Look for "SSH2 Login Attempt" in the Threat log. The Threat ID is 31914. Resolution To resolve the issue, add an exception for Threat 31914. Navigate to Objects > Security Profiles > Vulnerability Protection Add an exception to the Vulnerability Protection Profile by clicking on the Exceptions tab and  entering "( id eq '31914' )". Click the checkbox for "Show all signatures". Once the threat is displayed, check the checkbox to enable. Commit the changes. owner: ymiyashita
View full article
ymiyashita ‎06-18-2013 12:05 AM
10,033 Views
3 Replies
Issue Content updates (Antivirus, Application and Threats, URL Filtering, GlobalProtect Gateway) that have been manually uploaded and installed onto the Palo Alto Networks device will not appear in the PAN-OS UI, before and after the installation. In the following example, version 364-1728 of Applications and Threats content is currently installed: An older version, 360-1705, is manually uploaded and installed. After the installation the following output appears on the Dynamic Updates page: The manually installed update does not appear in the Dynamic Updates page, however the manually installed version can be confirmed by looking at Dashboard > General Information (below) And, also checking the show system info command in CLI, as follows: > show system info hostname: PA-5060 family: 5000 model: PA-5060 sw-version: 4.1.10 app-version: 360-1705 threat-version: 360-1705 threat-release-date: unknown url-filtering-version: 4057 global-protect-datafile-version: 0 global-protect-datafile-release-date: Unknown logdb-version: 4.1.2 platform-family: 5000 vpn-disable: off multi-vsys: off Cause The Dynamic Updates window only displays the packages that have been automatically downloaded and installed (scheduled updates) or downloaded from the Dynamic Updates page. Therefore, the manually uploaded and installed packages will not appear on the page. owner: aciobanu
View full article
aciobanu ‎03-20-2013 09:02 AM
6,467 Views
0 Replies
Symptom When using SSL decryption policy to block malware, the block page does not always display. Cause When requesting a web page, browsers tend to allow any response with a header similar to this: Accept: text/html, image/png, */*;q=0.1\r\n The */* indicates any response will be accepted. When requesting a specific object (.zip, .txt, etc.) the client browser may only allow that type of response, limiting what the browser will display. If requesting a .txt file, you may only see: Accept: text/text\r\n When the firewall displays a response page indicating that the request is blocked due to a virus, it displays it as an html page. The mime-type is text/html. This can mean that if the browser is only allowing text/text, the page will not be displayed. During an SSL communication, the client browser may close the request rather than display an error that the mime-type did not match what was requested. This results in the browser just "spinning", not displaying any page until an error is presented after a timeout. owner: gwesson
View full article
gwesson ‎02-06-2013 10:20 AM
5,545 Views
3 Replies
Overview The firewall is able to recognize attacks in fragmented packets. The way it is done: The system buffers the fragments Reassemble them Checks for any vulnerability Fragments again and sends it out The fragmented packets sent out may not exactly match the fragmented packets that came in, specially if packets were received out of order. If the buffer gets full there is an option to either allow the fragmented traffic or drop it. This can be set from CLI with the command from Configuration menu # set deviceconfig setting tcp bypass-exceed-oo-queue owner: mbutt
View full article
mbutt ‎10-09-2012 01:14 PM
8,630 Views
2 Replies
This threat signature detects when a DNS ANY denial-of-service attack has been detected. While an ANY request by itself may be normal traffic, it is possible for an attacker to perform a denial-of-service attack against a network using many ANY requests from spoofed sources. Since many requests are generated during an attack, many threat alerts can in turn be generated. The Palo Alto Network's brute-force signature looks for 60 single queries in 60 seconds before it sends out an alert. Since this may still cause a large amount of alerts to be generated, the threshold before the alert is generated has been changed to 500 in 60 seconds. This change appears in the Palo Alto Applications and Threats version 318-x.s owner: swhyte
View full article
swhyte ‎07-12-2012 12:52 PM
3,884 Views
0 Replies
Under Monitor > Mange Custom Reports, Click Add. Once the window opens, the following template can be configured to have a report generated for the last 30 days for vulnerability only Query builder inclusion gives the option to only include vulnerability in the reports: Connector == 'and' Attribute == 'Type' Operator == '=' Value == 'vulnerability' Click on Add after all the 4 fields are populated. A sample report will look like this when the above template is used Note: Same approach can be used for flood/scan/spyware or virus as well by just changing the Value field in the query builder. owner: kadak
View full article
kadak ‎07-02-2012 02:15 PM
2,857 Views
0 Replies
There are a few ways to make sure Zone Protection is working: Threat logs The threat logs will show events related to zone protection. In the screenshot below, ICMP flood protection was triggered by the Zone Protection policy Command Line Interface Many commands can be used to verify this functionality. Here are some examples: Running the command show zone-protection zone trust , for example, will display zone protection information for the zone named "trust". Look for incrementing drop counters. show interface ethernet1/1 will show statistics for that interface including "LAND attacks" which are related to Zone Protection The show counter global command will give outputs for packets dropped by DOS protection. IT is important to verify the receive and sent rates to verify how many packets are being dropped by this attack. owner: nayubi
View full article
npare ‎06-20-2012 08:48 AM
18,619 Views
3 Replies
Issue: How often do licensed components such as Antivirus, Applications and Threats, and URL Filtering updates occur? Resolution: Palo Alto Networks updates are sent based on type. All update types can be done out of the normal update times if a threat is found and resolved before the next normal update time. Typically it is around 5:00-5:30pm Pacific. Type Update times Antivirus Daily Applications and Threats Weekly (Wednesday Morning) URL Filtering Daily The update schedule on the firewall can be set by going to Device > Dynamic Updates. Each licensed item has a clickable update schedule. From there the frequency and time for each check can be adjusted. owner:  gwesson
View full article
panagent ‎05-01-2012 08:31 AM
6,665 Views
0 Replies
Issue: Dynamic updates for Applications and Threats will not install. Symptoms: Previous versions show as "Unknown" Download appears to have completed Install appears to complete with no errors Manual download and install of Threats and Apps will return an error "Invalid image" Resolution: Perform the following steps: Restart the Management server process. This will reset the management process and will remove any previous unsaved changes so  make sure to save uncommitted changes,  This will also kick out all Webui users. >debug software restart management-server Once the restart is complete, from the WebUI, delete the latest Threats and Apps update and download the file again.   Click the install option.  The Apps and Threats should now show update properly in the WebGUI. Owner: jdelio
View full article
panagent ‎03-08-2012 11:12 AM
4,969 Views
0 Replies
Issue The dynamic AV update fails. The 'Last Checked' date has not changed from default even after numerous attempts. Antivirus updates are not shown under Dynamic updates. Details Applications and Threats update without issue. Manual download and installation succeeds. Cause The dynamic AV updates are dependent on the threats update being installed before they will download automatically. Resolution If only "Apps" appears in the "Features" column: Download and install an update with App,Threats under the "Features" column. Note: a Threat Protection license is required. Future dynamic AV updates should work correctly after this is done.  owner: jdavis
View full article
panagent ‎12-30-2011 02:07 PM
4,633 Views
0 Replies
Issue The antivirus download and install update job has been at the "download in progress" status for several hours. Resolution Run the following commands to clear the stuck download job: > debug software restart device-server > debug software restart management-server These commands can safely be run while in production and should not disrupt traffic flows through the device. Reattempt the anti-virus database update. owner: ggarrison
View full article
panagent ‎12-29-2011 08:21 AM
3,866 Views
0 Replies
This document is written in Japanese. PAN-OS4.0で新しく追加されたボットネット検知の機能に関するホワイトペーパーです。 ボットネットの歴史、事例、種類など詳細も説明しています。 owner: kmiwa
View full article
kmiwa ‎07-14-2011 01:19 AM
2,565 Views
0 Replies
Overview From the WebGUI, under Device> Dynamic updates, there is an option to click "Revert" besides the previously installed Antivirus, Applications and threat and the URL database version. However, if newer versions of the content files are available, the previously installed version may not appear on the Web-UI. In this case, the revert operation must be executed from the CLI. Details To revert Antivirus version > request anti-virus downgrade install previous New content scheduled to be pushed via job 2 To revert Applications and Threats Content version > request content downgrade install previous New content scheduled to be pushed via job 3 To revert URL Filtering Database version > request url-filtering revert BrightCloud URL filtering database revert initiated owner: ppatel
View full article
nrice ‎06-03-2010 07:05 AM
5,515 Views
3 Replies
Ask Questions Get Answers Join the Live Community