This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to "fix" vulnerabilities.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to "fix" vulnerabilities.

johnd
L2 Linker

‎09-17-2012 01:43 AM

Hi,

I have a lot of vulnerabilities that keeps triggering in my firewall, but I'm not sure whats causing it or how to fix it. 

Most "attacks" are done by servers or clients on my own network...

- Microsoft Windows SMB Fragmentation RPC Request Attempt (14K).  Any ideas how to fix this.

- HTTP Forbidden Error (7K).  This would make sende if it was 30-40 alerts, but not 7K in the last 30 days.

- HTTP WWW-Authentication Failed (4K).  Could this be caused by the exchange client?

- DNS Answer Big TXT Record Response Anomaly (1K)

Thank you

0 Likes Likes
2 REPLIES 2

bstapleton
Not applicable

‎09-18-2012 07:29 AM

Hey johnd,

We're in the same boat.  We get many vulnerability hits internally of the same type as yours.

The thing to do seems to be to open a case with PAN support for each vuln.  It's best to start with the ones that are blocking traffic rather than just alerting you.  Then, IMHO, go for the ones that are most annoying  Smiley Happy and are most easily reproduced.  PAN support will most likely ask you to reproduce the alert with packet capturing on and to add the files or other data to the case that's being transmitted when the vulnerability is identified.

The end result may be surprising.  We generated a case because traffic between our Microsoft SCCM servers and their clients generated many thousands of 40026:  SSL Renegotiation Denial of Service vulnerabilities.  We did the packet captures and submitted file samples.  PAN support came back and said that, yes indeed, this is vulnerable traffic.  There seemed to be no more recourse with PAN support; we could then go to Microsoft to see why they're transmitting vulnerable traffic as part of their protocols.  In the end, we decided to keep the Microsoft SCCM servers running as they were and supress the alerts on the Palo Altos.

essnet
L4 Transporter

‎09-18-2012 07:49 AM

In most contexts, I would say these 4 alerts should be ignored, so disabled.

  • 2355 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks