12-10-2018 04:55 AM - edited 12-10-2018 04:56 AM
Hi 2 all
I am trying to create best practice for Vulnerability Protection and Anti-Spyware Profile with extended packet capture as desribed in
But i received warning message:
Operation
Commit
Status
Completed
Result
Successful
Details
Warnings
Can you explain, what is wrong?
12-11-2018 06:36 AM
Hello,
So here are my insights:
1. Warning should be expected when Commit?
It depends on what is configured. What the PAN does is go over the config as a self check to make sure the config is valid. For example I get a lot of these due to application dependancies. What the PAN expects is that the dependand app is in the same policy however it could be further down the list so its just a warning.
2. Error in the document or mismatch of versions (8.0, not 8.1), restriction for VM-versions?
Couldt be, it would be best to open a tac case to be sure however.
3. Do I actually need extended packet capture?
It depends. Do you have a corporate need to review what is blocked at a packet level, if so then yes this will help? For us we do not have that need so we dont do the pcaps at all. If we need to we can change it at a later time. I would read up on the difference in the actions. We have ours set to Block-ip for 3600, so if we get attacked by something the PAN knows, it will block the source IP for 1 hour. I only have this enabled externally however since we could inadvertantly block legit internal traffic.
I hope this helps!
12-10-2018 07:49 AM
Hello,
Since the configuration committed successfully, everything looks OK from the PAN standpoint. However the reason for the additional messages is that you have extended packet capture enabled but the policy is set to block. These are not really compatible since its going to capture the first packet because the rest of them are getting blocked. If you disable the extended packet capture on the polices that are medium and higher, these warning will go away.
Regards,
12-10-2018 09:58 PM
Thank you, Otakar.Klier
>If you disable the extended packet capture on the polices that are medium and higher, these warning will go away.
It works.
But i don't understand something.
In the document that I quoted, reset-both is recommended, not block.
Security Policy with these profiles allows traffic.
For example:
Warning: The action is block for rule "simple-critical" in anti-spyware profile "Best-practice and sinkhole" with extended packet capture enabled. Only the first packet will be captured.
Action is not block, but reset-both.
Settings are made according to the manual.
1. Warning should be expected when Commit?
2. Error in the document or mismatch of versions (8.0, not 8.1), restriction for VM-versions?
3. Do I actually need extended packet capture?
12-11-2018 06:36 AM
Hello,
So here are my insights:
1. Warning should be expected when Commit?
It depends on what is configured. What the PAN does is go over the config as a self check to make sure the config is valid. For example I get a lot of these due to application dependancies. What the PAN expects is that the dependand app is in the same policy however it could be further down the list so its just a warning.
2. Error in the document or mismatch of versions (8.0, not 8.1), restriction for VM-versions?
Couldt be, it would be best to open a tac case to be sure however.
3. Do I actually need extended packet capture?
It depends. Do you have a corporate need to review what is blocked at a packet level, if so then yes this will help? For us we do not have that need so we dont do the pcaps at all. If we need to we can change it at a later time. I would read up on the difference in the actions. We have ours set to Block-ip for 3600, so if we get attacked by something the PAN knows, it will block the source IP for 1 hour. I only have this enabled externally however since we could inadvertantly block legit internal traffic.
I hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
