Hi, I have a PA3020 installed and operational in my enviroment. I have a vulnerability profile (using "default" actions for detected threats) created and applied to a security policy that covers all zones. I decided to do some testing and simulate an attack using metasploit. Based on my results, I have a couple of questions: I "compromised" several workstations and installed a meterpreter and was able to establish sessions back to my outside "attacker machine". Contrary to expectations, my PA device did not detect anything relating to my attack...I was quite surprised. Is this normal behavior. Have I grievously mis-configured the PA device? I also conducted a SSH brute force password attack. My PA device did see and correctly classify this attack but the default action is "Alert". Why would it allow such traffic? Why not "Drop" or "Deny" traffic that is obviously malicious? Any help is greatly appreciated. M
... View more