About santonic

If the brute force attempt was made over network (RDP) and traffic passed through firewall, then yes.   ... View more

Can you find any logs for the period where the charts aren't continuous? I'm pretty sure the reason for hole in your chart is that there aren't any logs for that period.  Now the question is why there aren't any logs. If it wasn't case of HA cluster member switch then maybe there wasn't any traffic there for some reason during that period? ... View more

Ok, i don't know exactly how chrome remote desktop works.   But i'm guessing it's similar to TeamViewer where client connects to central server? In that case TCP connection goes only from client to internet server, but later desktop sharing can work in both ways. So you can't block TeamViewer only in one direction.   If it works in different way with both sides starting (TCP) connections, then you would have to allow connections from internet to local network, and made an apropriate NAT rule as well. So you can block it simply by not allowing this traffic. However this would limit the use of application a lot. So I'd say it works similar to TeamViewer and you can't block it only in one direction. Just guessing tho.   ... View more

Thank you for your answer, it definitelly helps.   But I'm still hoping for some feedback if anyone has actually tried this and what were the results. Because i don't have an evnironment where i could test this.     ... View more

You said: "The inside interface on PA is connected to a trunk on a switch and all the traffic to PA is untagged" But trunk always has tagged traffic. Otherwise trunk can't work.   So DHCP requests should arrive with correct VLAN tag and you can use subinterfaces. Actually you must use subinterfaces in this scenario otherwise only untagged (or vlan 1) traffic will be receieved by PA.     ... View more

Active cluster member switched? ... View more

Nice, creative! I don't have any experience with this but tempted to try. 🙂   ... View more

Can you please check if you have denied unknown-udp sessions dropped on high UDP ports towards Microsoft public IP addresses?   I have found a situation where skype and skype-probe is allowed with application rule, TCP 443 is allowed as service (in seperate rule ofc) and Skype still isn't working. I've noticed connection towards Microsoft IP addresses on high UDP ports 'recognised' as unknown-udp and of course dropped. Skype should be working without having to allow unknown-udp session.   Anyone else has similar problems with Skype? ... View more

So nobody managed to send 'flood' event to syslog? ... View more

Is it possible to send flood event to syslog server now, 4 years later?:)   ... View more

Yeah, signatures which check protocol compliance can still work. But a short answer would be: if you want to check an encrypted session for possible threats, you have to decrypt it. ... View more