Minimal configuration for Custom Apps

Our programmer wrote an app that uses TCP/9901 and 9902 to transfer data between the East and West buildings.  Let's call it JC-App.   What is the minimum configuration on both the East and West Firewalls?  Also, what would need to be added to requir

Cortex XDR block file execution based on ico\file name

Hi,

I've been wondering - Is it possible to block the execution of a file by file name or ioc in the xdr?

It sounds like a rather basic feature yet i can't seem to find anything about it in the docs - only thing i found is block file execution based on

Detecting TLS 1.0 and TLS 1.1 Protocol

Hi,

I working with a customer that needs to detect the usage of SSLv3(already done with ID 36815), TLS 1.0 and TLS 1.1, at some point they may move to blocking this on certain traffic. They don't particularly want decrypt the traffic for this due to c

Convert ScreenOS Multicast static route to PaloAlto

Hi all,

i'm finally converting an old Juniper ScreenOS firewall to a PaloAlto firewall (5020). I have some problem to understand how to convert some Multicast static Routes.

On screen os i have this specific entry for ex:

GUI:

Type: Static, Forwarding

So

Anyone know how to compare two headers in custom spyware signature?

Anyone know how to compare two headers in custom spyware signature?

ie "http-req-host-header" == ssl-req-client-hello 

Allow iOS Ring doorbell

Hello,

I'm looking for a proper way to allow the iOS Ring app to connect back to the video feed from an iOS device. Android phones work with no issue.

The problem is that it reports the web URL category as "unknown" which I am currently blocking.

I wro

Custom App for unknown SIP traffic

Hi.

I need to create a Custom App for SIP traffic that is not identified by the firewall. I see that you can match on the sip headers but not sure how to write the pattern. 

Have done capture of the traffic and this is what I got...

What can be used h

"email-headers" and "smtp-email-headers" context in customer application definition

Hello,

Is there any difference between "email-headers" and "smtp-email-headers" context in the customer application definition?

I didn't find description of the "smtp-email-headers" context in "Custom Application IDs and Signatures" guide.

Maybe "email-

Letsencrypt (acme) challenge URL

I created this pattern to recognize Letsencrypt (acme-protocol) challenge.

You need to create a custom application with these fields:

• Typo: Transaction

•  

  Context: http-req-uri-path

•  

  Pattern:

That's the best I could bet.

Custom signature for catch specific query

Hello all

I'm trying to catch suspicious ldap queries (recon activity).
For the example I want catch this kind of querie : (primaryGroupID=512)

I tried to make a custom rule. However for ldap, there are only 2 possibilities:
- ldap-req-searchrequest-bas

Allow or drop traffic based on headers

Hi,
I need to allow/drop traffic based on headers.
I need a custom signature to make sure the HOST is one of:
1. abc.com (or)
2. xyz.com

AND
The XFF header is one of:
1. 1.1.1.1 (or)
2. 2.2.2.2 (or)
3. 3.3.3.3

AND
A header name "X-MyHeader" has the value: "123"

Custom Signature to detect a PDF file

DISCLAIMER:

As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community.

It is:

- Not recommended fo

Limiting http methods to specific URLs

Has anyone had luck limiting http methods like PUT to limited URLs? For example, limiting a PUT to https://www.foo.com/ but not to https://www.foo.com/folder1 ? I've created a custom vulnerability that allows the http-method (http-req-header length >

DDOS, Brute force and referer header match options with custom signatures for app-id and vulnerability.

Hello to All,

I have made a post with examples in an another part of this forum but now I see that there is a seperate discussion for custom signatures, so I am posting it here. Now with version 10 as there is no 7 byte limit it is much more easier