We came into the office this morning to receive reports from users that they weren't able to access their core application which runs on apache web server. When they login, the internet explorer URL directs the users to www[whatever-url]com/login.jsp . Our clients download the file login.jsp when they access the login portal for the webpage. The firewall is blocking this file in accordance with signature ID 31313 (Oracle single sign on vulnerability).
This behavior has been true since as long as I can remember, but suddenly our PA-3020 running panOS 7.1.1 decided to block this file as a threat. We were able to quickly resolve this issue with a vulnerability protection exemption to allow this threat signature for a specific ip address.
What I'm now working on is to determine what caused this sudden change in behavior that resulted in the file being blocked. Our firewall did take a app and threats update yesterday around 1:45pm (panupv2-all-contents-8069-5027). However, the vulnerability signature that was being blocked was 31313 which is not mentioned in the latest update release and I know this signature has existed for a long time now.
Has anyone ever seen this sort of sudden change of behavior i nthe past? Or any advice on places to check in the palo alto for more clues on what may have occurred?
There were changes made to signature 31313 in Content version 8068-5026.
Please work with Support to have this False Positive resolved.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!