This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About santonic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
santonic
‎10-01-2025
since ‎01-26-2011
L6 Presenter
User Activity
User Profile
Latest posts by santonic
View All
User Badges
Community Statistics
Member Since ‎01-26-2011 05:56 AM
Date Last Visited ‎10-01-2025 11:34 PM
Posts 677
Total Likes Received 193

Re: Logical conditions in custom IPS signatures

by in Automation/API Discussions
‎05-11-2015 04:05 AM
‎05-11-2015 04:05 AM
Nevermind this, the configuration was correct, my diagnostics weren't. ... View more

Logical conditions in custom IPS signatures

by in Automation/API Discussions
‎05-05-2015 04:32 AM
‎05-05-2015 04:32 AM
Hello. I need some help with logical conditions in custom IPS signatures definitions. I've made a set of custom IPS signatures for browser identification based on user agent strings. the were working ok, but recently MS decided that IE will not include string MSIE in some cases. So I'm making a new signature which will try to find MSIE or Trident (a string which only IE of major browsers uses). Currently I have old signature which searches for MSIE and is working ok: Now I made a new signature which should trigger on MSIE OR Trident string: But the second signature never triggers. Why? It should trigger on the same user agent strings as first one and more. I'm also curious if some other ppl are trying to make (and maintain) browser identification signatures. Or if someone knows a trustworthy source of regular expressions for user agents. ... View more

Re: Cleaning up rules

by in General Topics
‎04-16-2015 01:38 AM
2 Kudos
‎04-16-2015 01:38 AM
2 Kudos
Download Migration Tool 3 ... View more

Re: Palo alto fitrewall that it does not take decision upon first packet while other firewalls take..

by in General Topics
‎02-23-2015 04:32 AM
‎02-23-2015 04:32 AM
Depends how you configure rules. Let's say you want to allow web browsing. Option A: rule allows web-browsing on any port. PA has to allow enough traffic on any destination port to make sure if the session is web-browsing before it can make a decision. So for TCP you can do 3-way handshake on any destination port and traffic will go through until PA notices it's not web-browsing session. Option B: rule allows web-browsing only on application-default ports. PA has to allow enough traffic on destination port 80 to make sure if the session is web-browsing before it can make a decision. Traffic on any other destination port will be dropped before it finishes 3 way handshake (already SYN packet will be dropped). ... View more

Re: Blocking youtube

by in General Topics
‎01-06-2015 06:52 AM
1 Kudo
‎01-06-2015 06:52 AM
1 Kudo
Unfortunately neither of those solutions works (without SSL decryption). I have youtube application blocked, all streaming media blocked with URL filtering, youtube.com in URL block list and youtube still works. It is recognised as SSL application and goes to an URL which is categorised as 'search-engines'. I'll try to catch this URL and add it to block list.  ... View more

Re: PPTP NAT and site-to-site IPSEC VPN on same IP address

by in General Topics
‎12-15-2014 11:28 PM
‎12-15-2014 11:28 PM
PPTP includes TCP session on port 1723 and GRE session. Yes, I can make more specific NAT rule for TCP session. But I can't use application or protocol in NAT rule so I can't make specific NAT rule for GRE. I also can't make no-NAT rule to prevent NAT for VPN tunnels as it also uses ESP which can't be used in NAT policy. ... View more

Re: PPTP NAT and site-to-site IPSEC VPN on same IP address

by in General Topics
‎12-15-2014 04:57 AM
‎12-15-2014 04:57 AM
A bit more complications: yes i know I can make a no-nat rule above the mentioned DNAT rule for known VPN endpoints. But a couple of VPN endpoints will have dynamic IP addresses ... View more

PPTP NAT and site-to-site IPSEC VPN on same IP address

by in General Topics
‎12-15-2014 04:53 AM
‎12-15-2014 04:53 AM
Hello. I'm doing a firewall migration where i encountered a following situation: - customer has site-to-site VPNs terminated on public IP address, let's say 1.1.1.1 - customer is using PPTP VPN solution which is also terminated on same IP address 1.1.1.1 and DNAT-ed to PPTP server, let's say on address 10.10.10.10 - on current fw they have a DNAT rule for just TCP 1723 and GRE protocol which translates packets with destination 1.1.1.1 to 10.10.10.10 But as PA doesn't support use of GRE (protocol or application) in NAT rules i have to make a more general rule which translates every packet coming to 1.1.1.1 to 10.10.10.10 Will site-to-site VPNs terminating on PA on IP address 1.1.1.1 still work in such scenario? Or will they be forwarded to PPTP server? Best regards, Simon ... View more
Labels:

Re: Error: Threat database handler failed (Module: device)

by in General Topics
‎11-05-2014 06:45 AM
1 Kudo
‎11-05-2014 06:45 AM
1 Kudo
I've found another weird situation when I get the same error message. I was testing DLP. After I finally managed to get rid of "pattern must be at least 7 bytes" configuration check I tried to commit the configuration. but I got "Error: Threat database handler failed  (Module: device) Commit failed." message. I've tried reverting threat database, upgrading, reinstalling... but nothing helped. Then I deleted my "Data Filtering" profile and "Data Patterns" object and commit was succesful. There is probably a configuration check missing and the commit fail message is a bit misleading. Or is it just a bug. Btw this happened on PAN-OS 6.1. ... View more

Re: URL filtering - incosistency with online BrightCloud database

by in General Topics
‎11-04-2014 06:02 AM
‎11-04-2014 06:02 AM
Restarting device-server solved the issue. Thanx! ... View more

URL filtering - incosistency with online BrightCloud database

by in General Topics
‎11-04-2014 01:27 AM
‎11-04-2014 01:27 AM
Hello. A while ago website www.rk-celje.si was recognised as malware-site. But in last couple of months the website seems to be clean and online BrightCloud lookup (URL/IP Lookup | Webroot BrightCloud) recognises it as 'Trustworthy' and categorizes it correctly as 'sports' But PA device using BrightCloud for URL filtering keeps saying it's malware-site. I've tested it with 2 version of URL filtering database and I've cleaned URL cache every time. Why is the categorisation wrong? Is PA overriding BrightCloud info when they find some malware? If so why don't they report that info back to BrightCloud as well? xyc@PA-3020> show system info | match url url-db: brightcloud url-filtering-version: 4394 xyc@PA-3020> test url www.rk-celje.si www.rk-celje.si malware-sites (Base db) xyc@PA-3020> xyc@PA-3020> show system info | match url url-db: brightcloud url-filtering-version: 4405 xyc@PA-3020> test url www.rk-celje.si www.rk-celje.si malware-sites (Base db) xyc@PA-3020> clear url-cache all All entries in URL cache removed! xyc@PA-3020> test url www.rk-celje.si www.rk-celje.si malware-sites (Base db) xyc@PA-3020> ... View more
Labels:

Re: IPS - new signature's action set to default instead of the action specified in rule

by in General Topics
‎11-03-2014 06:11 AM
‎11-03-2014 06:11 AM
tshiv We did some testing and we found out that rule order does matter in IPS profile. So if a signature matches 2 rules, the action will be set by first rule it hits, matching the rules from top to bottom. ... View more

Re: FTP session logged as 2 TCP sessions

by in General Topics
‎10-30-2014 07:17 AM
‎10-30-2014 07:17 AM
Thanx all for your replies, they've been really helpful. ... View more

Re: FTP session logged as 2 TCP sessions

by in General Topics
‎10-30-2014 12:55 AM
‎10-30-2014 12:55 AM
hshah Thanx for your info. Yep, to me it looks as well like the sessions are in pair. But session IDs are different. So I'm still worried the data sessions will be blocked. I don't have info about FTP server, i'll check with the client where the issue appears. Do you know if PAN supports multiple DATA sessions back or only looks for 1? lewis You saw data sessions (with source port 20) to internet and they were allowed despite the fact you didn't have such traffic allowed with rule? ... View more

Re: FTP session logged as 2 TCP sessions

by in General Topics
‎10-29-2014 12:31 AM
‎10-29-2014 12:31 AM
Ok, I understand about PREDICT sessions, but we all agree those shouldn't be seen in traffic logs? And I agree I shouldn't have to create a rule for traffic back, but in that case the session back in logs will be blocked? And Session IDs for pair of such connections are different. Here is the screenshot of such sessions for easier understanding: Another thing: for the security zone where the FTP server is we have a zone protection profile which doesn't reject Non-SYN TCP sessions and bybasses Asymmetric Paths. But the mentioned FTP traffic isn't asymmetric so this zone protection profile shouldn't have any influence on these sessions. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎10-01-2025 11:34 PM
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks