Advanced Threat Prevention Discussions

Welcome to the Threat & Vulnerability Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Strange TCP traffic from PAN Firewall management IP going to Japan

Hi All,I've noticed an strange event in our network. We have PAN 5020 and other PAN firewalls. The issue is from the management IP from one of them there is TCP traffic going to a Japanese server on port 135 (MSRPC). One of our Sensors detects it as "possible infection". Some vendors have suggested it is nothing and may be related to this since ...

URL Filtering Implementation Best Practice

Hell everyone, I have a vendor that is going to work on deploying the URL Filtering service in our Pan3020 but I wanted to undersandt/learn what the best approach is in order for to come up with an outcome that is manageable once they leave us. As of today, our security profiles such as Wildfire, Antivirus, etc. are applied to each rule. This d...

RSA TLS crypto attack, ROBOT—short for "Return Of Bleichenbacher's Oracle Threat

Recent article talks about a newly discovered (but old) vulnerability: https://arstechnica.com/information-technology/2017/12/a-worrying-number-of-sites-remain-open-to-major-crypto-flaw-from-1998/?comments=1&start=40 You can test your links here if you are vulnerable: https://robotattack.org With TLSv1.2, all my Palo Alto GlobalPr...

Threat ID for Unsafe Characters in URLs

Is there a Threat signature to detect Unsafe/ Illegal characters in an URL? I've searched the ThreatVault but I couldn't find any unfortunately. For clarity this is what I'm talking about - https://perishablepress.com/stop-using-unsafe-characters-in-urls/ As anyone been able to find a signature for this (without using a custom signature)? Thank you

Suspicious Abnormal HTTP Response Found

My customers are complaing that they're not able to open the website www.sligrofoodgroup.nlOur "Antvirus / Anti Spyware Block Page" kicks in, and in the threat monitor i see it's blocked cause off the vulnerability "Suspicious Abnormal HTTP Response Found" in the favicon.ico file: https://threatvault.paloaltonetworks.com/?query=40393 What does t...

Update 762 "broke" our PA500

Hi Guys, We manually updated to 762 today and our Palo immediately started ending sessions with the Resources-unavailable reason. Reverting the update and restarting the dataplane fixed the issue. Has anyone else had issues with it? RegardsRonelle

performance problem with pa-3050

We have two ISP related DNS servers with each behind a pa-3020. During peak time we have seen the number of sessions increase to 150K on each pa-3020 so we were concerned that if one DNS server had to take the whole load then the pa-3020 would go over the 256k session limit. We decided that we needed to move the DNS servers each behind a pa-30...

Protocol Protection Layer 2 or Vwire

My question would it be important to add protocol protection in Zone Protection if you are running layer 2 or vwire on you palo alto fiewalll? and if so should it be placed on untrust or trust or both?

Will IP Region Mapping work with virtual wire?

I have a Virtual wire in production with two zones (external and Internal) Have attempted IP Region blocking with no success. Is it supported with Virtual wire ?

Not all SSL traffic is being decrypted

I configured the firewall to decrypt outbound SSL traffic and installed a local cert I created onto my broswer. When I monitor my port 443 traffic I see some of it is decrypted and some of it isnt. Is this normal behavior? I thought it was suppose to decrypt all SSL traffic? Also, I was trying to create a policy that would send an alert any tim...

Filter Threat logs by profile's name

Hello Community,customer would search threat logs by profile's name.It seems on the logs there are no any fields with the name of profile (Anti-Spyware or Anti-Virus or Vulnerability Protection). Do you know how or if is possible to search it? Thanks in advance.Jacopo.

HP Intelligent Management Center TFTP Server DATA and ERROR Packets Buffer Overflow (35688)

Good Day, everyone needing some help with a threat id number I can not find any information on. I am needing to do so research on this threat ID that is showing in the Palo Alto once in a while. I am wanting to change security profile setting from default on high alter to best security practices which is reset-both connections on high and crit...

Which method of Phishing Credential Prevention?

We are currently using User-ID to map users to IP addresses. It seems that there are three possible methods of preventing credentials from leaving a site, but I am not clear on which method is best. What are other folks doing? One of the methods involves spinning up a RODC, which seems to be the most accurate of the three methods, but there i...

which app and content code Petya ransomeware attack is mitigated

want to know in which app and content release "Petya ransomware" attack is mitigated/protected. What code I should update it on to get the protection from this attack. As os now, we are on 698-4026 app and content code. Please suggest.

Malicious objects passing through despite action is drop

Hi guys, I am new to the community and I just have a pair of PA820 go live with WF, TP and URL scan subscriptions. I notice an inconsistency in the WF performance where most of the malicious objects are blocked but there are a few could sneak in, any idea why is that so?

Discussions