Adding ?v=panosurl to MineMeld EDL brought down our entire network

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Adding ?v=panosurl to MineMeld EDL brought down our entire network

L1 Bithead

Just wanted to share this with the community in hopes that it may prevent one from experiencing the hardship that we did. We use MineMeld with our URL filtering rules. We appended "?v=panosurl" to the end of the  end of the URL for our General_Block_List with the assumption that  it would just reformat the output essentially removing the "http://" from the URLs in the list.  Unfortunately adding ?v=panosurl to the end of the URL caused the list to add three entries for *.com and one for *.it. 

 

Since this EDL was a block list it essentially began blocking everything to those TLDs. This brought the entire network to it's knees and we couldn't get into our Panorama server to revert the change. We were eventually able to access the Panorama server via the CLI and revert the changes. 

 

Just beware and do your due diligence when implementing this on your EDLs. 

 

Cheers!

6 REPLIES 6

L3 Networker

One of customer seemed having same issue. what is the solution for this ? PAN-OS in 8.1.4 release.

L2 Linker

Thanks for the post; although I found it after I had experienced the same thing; however, my list did not include a *.com or *.it.

 

name@fw(active)>  request system external-list show type ip name edl-phishing-sites 
vsys1/edl-phishing-sites:
Next update at : Thu Dec 27 16:00:02 2018
Source : https://10.x.x.x/feeds/phishing-url?v=panosurl
Referenced : Yes
Valid : Yes
Auth-Valid : Yes

Total valid entries : 2013
Total invalid entries : 59

 

Went through the entire text and did not find a string or consecutive wildcards together. Can't figure out why this would have recategorized pretty much every common domain as edl-phishing-sites. Thankfully I deny all traffic to those sites with my policy. We had a connectivity issue for about 5 minutes until I could back everything out. What a pita.

Today I had the same issue and I think I found the reason. I have compared the lists with and without ?v=panosurl and I found some problems with different enties. Entries in minemeld like *domain.tld will be changed to *.tld after adding the parameter to the url. I also found a typo in a manually entered indicator. This one was *:acbay.com and was also changed to *.com after adding panosurl to the url ...

So do you think there is an issue with the parser? What PANOS version are you running? I still have not moved forward in implementing due to the high risk/low payoff and there seems to be a question whether this is really happening. Sorry it happened to you but I'm also glad I'm not crazy.

To me this definately is an issue in the parser. Even if "*abc.com" isn't a valid entry on a paloalto firewall, changing this to "*.com" cannot be right. In my opinion the best would be if ?v=panosurl does the same as a paloalto firewall does (in addition to removing http:// and https://), such entries should simply be ignored.

L1 Bithead

I had a similar experience where implementing the ?v=panosurl caused a huge spike in CPU on our PA5220s we couldn't commit configuration changes.   I was kind of shocked that making what was recommended as a change would have such dire effects on our envorironment.  Has anyone used it successfully?  If not,  do you have a work around to make edl ses feeds from minemeld usable for URL filetering?

  • 5374 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!