- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-17-2012 01:43 AM
Hi,
I have a lot of vulnerabilities that keeps triggering in my firewall, but I'm not sure whats causing it or how to fix it.
Most "attacks" are done by servers or clients on my own network...
- Microsoft Windows SMB Fragmentation RPC Request Attempt (14K). Any ideas how to fix this.
- HTTP Forbidden Error (7K). This would make sende if it was 30-40 alerts, but not 7K in the last 30 days.
- HTTP WWW-Authentication Failed (4K). Could this be caused by the exchange client?
- DNS Answer Big TXT Record Response Anomaly (1K)
Thank you
09-18-2012 07:29 AM
Hey johnd,
We're in the same boat. We get many vulnerability hits internally of the same type as yours.
The thing to do seems to be to open a case with PAN support for each vuln. It's best to start with the ones that are blocking traffic rather than just alerting you. Then, IMHO, go for the ones that are most annoying and are most easily reproduced. PAN support will most likely ask you to reproduce the alert with packet capturing on and to add the files or other data to the case that's being transmitted when the vulnerability is identified.
The end result may be surprising. We generated a case because traffic between our Microsoft SCCM servers and their clients generated many thousands of 40026: SSL Renegotiation Denial of Service vulnerabilities. We did the packet captures and submitted file samples. PAN support came back and said that, yes indeed, this is vulnerable traffic. There seemed to be no more recourse with PAN support; we could then go to Microsoft to see why they're transmitting vulnerable traffic as part of their protocols. In the end, we decided to keep the Microsoft SCCM servers running as they were and supress the alerts on the Palo Altos.
09-18-2012 07:49 AM
In most contexts, I would say these 4 alerts should be ignored, so disabled.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!