Recently my developers are complaining about some aspect of their site development that is failing. Long story short, I had to roll-back to the 307 version of the apps/threat database to get the site to work again. I'm not a programmer and barely know the Palo Alto environment, so bear with me. Quite simply I can reproduce the problem by trying to access an XML file from the trust side of the firewall. With 307. the XML code pops up, with 314 (or 313) the XML will not come up. This XML file apparently controls the app, hence the app fails similarly, a hang.
How do I trouble-shoot this? Where in the Palo Alto can I see either something being blocked or dropped? This app is rtmp based and I can see ther has been a lot of work relative to some Adobe applications upon which my app is based.
Basically, I am stuck due to lack of knowledge. I'm working with PA support, but am also looking to see if any others have seen issues going forward to 313/314 of the apps/threat database.
Thanks Very Much
Check the threat log and traffic log (search for source ip of the client being used) to find out why the flow was blocked.
In order for this to work you must have a "deny + log" rule in the bottom of your security rules (otherwise there is just a deny rule which is hidden which means that no logging occurs on denied traffic).
When you find out which threatid this xml is being identified as you need to find out if the xml really is bad or not. You can read some about the threat in the Threat Vault: http://wwapps.paloaltonetworks.com/ThreatVault/
If this is a false positive then you should contact the support with info of which db, threatid and (if possible) also send in a pcap (tcpdump) of the traffic when it works (so the support have something to verify against).
I think you can get in touch with the app and threat team at: http://www.paloaltonetworks.com/researchcenter/tools/
This change did enable me to find my problem. Unfortunately, my unfamiliarity with how the box works with DROP turned on caused me problems. Apparently, turning on this drop makes intrazone traffic drop (or some such) and I got myself into quite a pickle. I'll open a ticket w/support to see how to properly setup for a drop rule to avoind issues. The drop rule is really helpful to me since the end users/developers do not know how an applications based firewall works.
Thanks for you help,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!