Blocking & AV

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking & AV

L3 Networker

Hi - we current;y have our PA4050s in aleret mode only on every rule for AV. If we device to turn this to Block for specific rules - what does this actually do if it identifies a virus? Cheers.

22 REPLIES 22

L3 Networker

If it's a download, the transmission will be blocked and the user will see the block page which you can customize.

The box can also block virus data. In other words data farmed by viruses and sent to the web or to other machines. This will be blocked too but the user will not see anything.

L6 Presenter

If you choose the 'default' AV profile, we will block the content when a virus is detected.  We will continue to alert for virus detected in SMTP, IMAP, and POP3 because we are not a mail proxy/relay.  If the virus is detected over HTTP, then we will serve the AV block page.  For other traffi like FTP, then we will reset the connection to prevent the transmission of the virus.

many thanks for your replies. In more detail we have

CLIENT HTTPs <-----> (ssl termination)ASA<-------PALO ALTO--------->HTTP to web server

So:

1. Would the block page get served the end client successfully?

2. All the traffic to the web server comes from the same source IP address on the ASA for all clients - will the Palo Alto understand that?

3. Would this block all traffic from the client (ie. if they started another http session that was clean - would that get through?).

4. So if all traffic comes from a source of the ASA - would a block kill ALL traffic from the ASA to the webserver (as all is coming from the same source IP of the ASA)?

Hopefully someone can help!!

Thanks

My comments inline:

1. Would the block page get served the end client successfully?

Yes.

2.  All the traffic to the web server comes from the same source IP address  on the ASA for all clients - will the Palo Alto understand that?

Yes, the Palo Alto device is stateful and will take action only on the HTTP session where the virus was detected.

3.  Would this block all traffic from the client (ie. if they started  another http session that was clean - would that get through?).

A new HTTP session will contain new TCP session #, and the Palo Alto will treat it as a new connection.  The new connection will be protected but not block unless it contains a malware.

4.  So if all traffic comes from a source of the ASA - would a block kill  ALL traffic from the ASA to the webserver (as all is coming from the  same source IP of the ASA)?

No, the block will affect only that specific HTTP connection while other connections will continue.

rmonvon - many thanks. This clarifies for me - and worked as I had envisaged - only the TCP session in question and not all TCP sessions will be affected (my only worry was that all TCP sessions are from the same source - but you have made it clear that all other TCP sessions would be unaffected!). Thanks again!

Farrel...Thank you for being a customer!!

L3 Networker

Hi - just ressurecting this one!! We have implimented the block on AV for a specific rule for some browser based traffic and the PA log shows that we have a "deny" for the Eicar test file - but the end user never gets the response page. As stated before we have client connecting over SSL VPN to an ASA - all traffic comes from the source IP of the ASA. The PA then sits in front of the end web server.

Any advice!!?

Does the user have rights to hit the block page over their VPN connection ? Can they route to it ? Browse to it ?

Hi

We've not tested this with no ASA in the way. So we have client-----Palo-----Web server with the same result.

The clients connect to the web server on a non-standard port. The rule is set to block on virus. They connect and authenticate to the page fine - then go to a page which has a "browse" button to load the Eicar file onto the site. The page hangs - but no block page is presented to the client. The PA shows that the Eicar virus was detected and blocked. So end to end it's working - they just never get the block page.

Can you test without the VPN tunnel to see if the AV block page is served.  Have a user connect thru the PAN firewall and retrieve the eicar file.  Thanks.

Hi - as stated in my last post. We've now done this with the same client but they are now sat in the office the Palo Alto is also in the same office - just an internal router hop away - so they are NOT going via the ssl vpn solution and we get the same result. It's would take a bit more effort to get the file onto the web servers to retrive the other way (I don't personally have access to them - and neither does the client who is testing).

Can you confirm the traffic is web browsing when the eicar file is retrieved.  Make sure the file is served up via HTTP then we can inject the AV block page.  Web servers can be configured to serve up files via SMB/NETBIOS instead of HTTP.  Thanks.

Hi - just resurrecting this query as it's still outstanding. When I do a wireshark trace on the client and upload the file from my client to the end server - I can see the http 503 page with the "AV blocked" message (from the Palo Alto) being sent from the end server IP back to my client (along the TCP session that the Eicar virus is found in). However, I never see it in the browser.

Since you're seeing the 503 AV block page, then the PA device is sending the bloack page as designed.  However, it appears you're testing the upload of the virus instead of a download.  You should see the AV block page on a download.  In an upload (i.e. HTTP POST), you may not see the block page.

  • 8352 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!