PA Bypass Question - McAfee Evader

cancel
Showing results for 
Search instead for 
Did you mean: 

PA Bypass Question - McAfee Evader

L2 Linker

Does anyone have any information on the latest posted PA bypass?  The youtube video shows some of the FW features  being bypassed using McAfee Evader.  It appears to require an IP of the firewall to execute - the example also shows most of the evasions relating to protocols not likely to be exposed over the firewall (NetBIOS, RPC, SMB) so I'm not sure how broadly this applies or how bad it is. 

 

666 different ways to bypass palo alto networks in 6 minutes

Published on Nov 30, 2015
full log file can be found http://goo.gl/WR3VkJ
full config file http://pastebin.com/PXARPh2a

 

It seems pretty bad, and the video claims "This cannot be resolved by a patch or a signature as the single-pass architecture is fundamentally flawed."

 

We are opening a ticket on this to find out more.

1 REPLY 1

L2 Linker

Fast response from PA supprt:

On November 30th, a video was posted by the owner of the NetSecVulns YouTube channel titled "666 different ways to bypass palo alto networks in 6 minutes”.

 

In the first video, posted Nov 30th, NetSecVulns sets up a lab with a Windows XP SP2 victim and the Stonesoft Evader tool configured to use the Conficker attack and a Palo Alto Networks Next-Generation Firewall in Layer 3 mode placed in between 2 endpoints. Great pains are made to show that our firewall is configured using our Best Practices configuration document. Once the Evader tool completes its run, the administrator shows that our firewall missed 666 evasion attempts. 

 

In reality, NetSecVulns skipped step 4 in our Best Practices document: creation of an unknown application block rule. This can be verified in the video (at 2:20) where we see a single allow rule instead of the expected 2 rules with the first one dropping unknown applications. Later in the video, at 4:31 and 5:49, it shows the "threat logs”, carefully avoiding "traffic logs" where we would have seen unknown-tcp sessions allowed through.

 

After running this test in our own lab on PAN-OS 7.0.3, and correctly following the same Best Practices document, we verified that we block 100% of the 204,090 evasion attempts. Also note that this test is performed by our internal QA team for each PAN-OS major and minor feature release.

 

On Dec 3rd, NetSecVulns posted a new video, correcting the "step 4" error. However once again they did not follow all steps in the Best Practices document, rendering the test inaccurate and misleading.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!