- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-23-2014 09:25 AM
Hello
Today I noticed that my friend was (or try) downloaded file that has a virus.
So I stared small investigation what was happend. I downloaded the same file from same location again.
The log from Thread Log looks like:
I was unable to download this file becasue I got a message that this file has a virus (browser was redirected) - thats OK.
Could someone explain me why in red frame we have two entries with forward, next deny and finally allow?
how should I understand this entries?
With regards
Slawek
05-23-2014 11:05 PM
Hello SLV,
I have analyzed the screenshot here and please find below my findings:
> If you see the GREEN box, it's showing log type. First 3 are showing as "threat" and the 4th one showing as "traffic". First 3 log generated by the profiles configured on this FW ( including "antivirus" and "file blocking")
>For the first 2 entries, action is "forward". It means, you have a file blocking profile configured on this firewall and action set as "forward". ( Most probably, you have WILDFIRE subscription on this firewall and sending the MD5/SHA256 hash value to the cloud). So, the first 2 log entries have been generated by file blocking profile.
> The 3rd log entries have been generated by your "antivirus" profile configured on this FW. The signature of the file actually matched with an existing signature in ANTIVIRUS database and the PAN FW successfully blocked it . That's why "action" is showing as "deny".
> 4th log entries are generated from the "security policy". Even though the file has been identified as a VIRUS by "antivirus profile" and blocked it successfully, but the action of that "security policy" was "allow". That is the reason, Action is showing as "allow". ( Byte count is including TCP 3-way handshake and HTTP GET request etc)
> I hope you have enabled logging "Log at Session End" into that security policy "Lan_A NAT-monitoring". That is why, time stamp is showing 17:51 ( inside the BLACK box) rather the file identified by profile at 17:49. Normally, security polcy will take few more minute to generate the logs.
I hope the above mentioned explanation will help you to understand the log file.
Thanks
05-23-2014 11:05 PM
Hello SLV,
I have analyzed the screenshot here and please find below my findings:
> If you see the GREEN box, it's showing log type. First 3 are showing as "threat" and the 4th one showing as "traffic". First 3 log generated by the profiles configured on this FW ( including "antivirus" and "file blocking")
>For the first 2 entries, action is "forward". It means, you have a file blocking profile configured on this firewall and action set as "forward". ( Most probably, you have WILDFIRE subscription on this firewall and sending the MD5/SHA256 hash value to the cloud). So, the first 2 log entries have been generated by file blocking profile.
> The 3rd log entries have been generated by your "antivirus" profile configured on this FW. The signature of the file actually matched with an existing signature in ANTIVIRUS database and the PAN FW successfully blocked it . That's why "action" is showing as "deny".
> 4th log entries are generated from the "security policy". Even though the file has been identified as a VIRUS by "antivirus profile" and blocked it successfully, but the action of that "security policy" was "allow". That is the reason, Action is showing as "allow". ( Byte count is including TCP 3-way handshake and HTTP GET request etc)
> I hope you have enabled logging "Log at Session End" into that security policy "Lan_A NAT-monitoring". That is why, time stamp is showing 17:51 ( inside the BLACK box) rather the file identified by profile at 17:49. Normally, security polcy will take few more minute to generate the logs.
I hope the above mentioned explanation will help you to understand the log file.
Thanks
05-24-2014 01:05 AM
Hello Hulk
Thank You so much for very detailed explanations!
Now I understand clearly what has happened. Indeed I have WildFire subscriptions, so You're guess correctly.
I'm learning from community and tech docs, so this is a reason why I asked for such simple problem. Do You know is PA have special offers (with big discounts) for e-learning traninings or exams?
Maybe someone could share vouchers for it?
With regards
Slawek
05-26-2014 11:58 AM
Hello Slawek,
I am not sure about the discounts , but you can send an email to education@paloaltonetworks.com. They might give you the options, if available.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!