has anyone see this critical threat which is correlated in our environment with google mail?
This event started with content-8770-8365.
I can see that PaloAlto did some changes in Modified Anti-Spyware Signatures in release notes.
It simply breaks gmail web-based email client.
I attach example pcap file.
I assume it is a false-positive, but ...
Palo Alto Networks is currently working on the false positive issue with the signature (Threat ID: 86680).
Please monitor the content release notes and look for the signature update.
Please create a threat exception in the meantime as needed.
Hi, IPs exception and The Treat ID is OK but it's highly depended on the area where you came from.
Especially in terms of Google's cloud.
I am personally waiting for PA's the new "Application and Threats" version.
I hope they will find solution and we wouldn't have to do exceptions by ourself.
Looks like App&Threats 8773 was released, but nothing in the release notes about 86680. I did an exception for this, but can't change the severity from Critical, and we have a rule that sends emails on all Critical events, so our emails are getting blasted with this false positive. Is there a case ID about this so I can enter a case and tag it, so they know about how this is affecting others? I'm also going to loop in our SE.
Raising a support case assumes they are working on it, although I haven't heard much back on mine. Out of interest, what version of PAN-OS are you all on? I'm on 11.01-h2 and am wondering if it is only affecting a smaller number of customers because of a specific PAN-OS version. Otherwise there would be more activity on this community discussion.
We are using 11.0.2-h1. The low number of customers reporting this issue may also be due to the Trusted Traffic to Google policy being configured in the firewall.
We only see this behavior when traffic to Google is processed through SSL interception. When the traffic is defined as trusted (undecrypted), the firewall is silent about this ThreatID 86680. I'm not an expert, but I think the definition of a threat depends on the characteristics of the network packets. So I can't imagine that different wersion of OS could detect this traffic in different ways, especially from the same manufacturer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!