About HULK

Hello Cos, Since, this is a active passive setup ( you will not be able to connect to internet through data-plane interface, until a fail-over happened ) , you may configure the mgmt interface of the passive firewall to reach internet. And, then retrieve the support license from the license server. Once, support license will be updated, you can upload remaining license manually/retrieve from server. Hope this helps. Thanks ... View more

You are absolutely correct. Thanks ... View more

Hello AMacaronis, Please apply below mentioned  CLI command to identify the memory on your PAN-500 firewall. Example: PA-500 with 2 GB RAM on the management-plane: admin@PA-500> show system resources Mem:   2028576k total  >>>>>>>>> It's a 2 GB Memory ,  1193104k used,  Swap:  2008084k total,        0k used Hope this helps. Thanks ... View more

Hello ascit, The PAN OS version 6.1.2 is expected to be released during the week of February 2, 2015. Thanks ... View more

Hello Networkadmin, As per my opinion, i would suggest you PAN OS version 6.0.7 or 6.0.8. These are pretty stable and no major issue has been reported so far. Thanks ... View more

Hello Hardik, Even in latest code, we have removed the SSL v3 from the code for management connection including GlobalProtect gateway, GlobalProtect portal, and Captive Portal. There is no such option or button to enable/disable SSL V3. Secondly, if you create a custom signature to block SSL V3 connection and the client keep initiating SSL V3 connection,  then you will not be able to establish a connection, which would be a major black-hole. So, custom signature would not be a recommended solution for production environment. Hope this helps. Thanks ... View more

One more related link: Palo Alto Networks Product Vulnerability - Security Advisories Look into the SSL 3.0 MITM Attack (CVE-2014-3566) Thanks ... View more

Hello Tac.in, The above mentioned  vulnerability CVE-2015-0310 is related to adobe flash file. Hence, those TID's are for CVE-2015-0310. Virus/Win32.generic.jqwhx Signature ID: 1270152 Content Release: 1473 (1/27/2015) Signature Type: Virus Virus/Win32.generic.jqwhg Signature ID: 1270151 Content Release: 1473 (1/27/2015) Signature Type: Virus Virus/Win32.generic.jqwfx Signature ID: 1270170 Content Release: 1473 (1/27/2015) Signature Type: Virus Hope this helps. Thanks ... View more

Hello tac.in, PAN is having coverage for below mentioned threat ID. TID: 1270152 TID: 1270151 TID: 1270170 We will add IPS signatures with content database version 483, along with coverage for CVE-2015-0311. Hope this helps. Thanks ... View more

Hello Choff123, PAN is aware of this vulnerability. This has been notified On Tuesday, January 27th, a Linux Remote Code Execution Vulnerability was discovered in the GetHost function in certain Linux distributions.  This is also known as the "GHOST glib gethostbyname" buffer overflow vulnerability, (CVE-2015-0235). Our existing signature with TID# 30384 should protect against this vulnerability. https://threatvault.paloaltonetworks.com/Home/ThreatDetail/30384 SMTP EHLO/HELO overlong argument anomaly Signature ID : 30384 Description: This anomaly would be triggered when an overlong parameter is sent to the HELOcommand of SMTP protocol. Some servers such as Tabs Laboratories MailCarrier2.51 might be prone to an overflow vulnerability while parsing the craftedrequest.A successful attack could lead to remote code execution with the privileges of the current logged-in user. Severity high Category code-execution Default action alert CVE CVE-2004-1638 Hope this helps. Thanks ... View more

Hello x, It would be difficult to isolate the issue from above mentioned description. There could be many reasons, while traffic was not through the PAN firewall. I would suggest a few things to check if there would be another occurrence of the same issue. In the GUI --> Traffic log, you may use filters like ( addr.src in IP_ADD_OF_THE_TESTING_PC [public IP]) and ( addr.dst in IP_ADD_OF_THE_DESTINATION ) to check the security policy that the traffic hitting. Also you can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'. >  If there is an session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc. >  verify the global counters, if a specific "DRP" counter is increasing rapidly. The command show counter global provides information about the processes/actions taken on the packets going through the device; if they are dropped, nat-ed, decrypted etc.  These counters are for all the traffic going through the device and are useful in troubleshooting issues; like poor performance, packet loss, latency etc. It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data. For more information, you can follow the DOC What is the Significance of Global Counters? > You can enable FLOW BASIC feature to understand the exact reason behind the failure: > debug dataplane packet-diag clear all > debug dataplane packet-diag set filter match source  IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION > debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination  IP_ADD_OF_THE_TESTING_PC > debug dataplane packet-diag set log feature flow basic > debug dataplane packet-diag set log feature tcp all > debug dataplane packet-diag set filter on > debug dataplane packet-diag set log on ~~~~~~~~~~~~~~~~ Initiate traffic through the PAN firewall/try to browse a website ~~~~~~~~~~~~~~~~~~~~~~~~~ > debug dataplane packet-diag set log off > debug dataplane packet-diag aggregate-logs > less mp-log pan_packetdiag_log.log For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands Hope this helps. Thanks ... View more

Hello x, The license would not force the device to stop logging traffic. Could you please check the security rule, whether logging option is enabled there..? Example: Hope this helps. Thanks ... View more

Hello Networkadmin, I do understand your query The PAN-DB classification engine is based on machine learning, so we can and are constantly tweaking the individual category models to improve.  In regards to URLs that are categorized as spyware, this is usually due to the fact that WildFire has detected malicious activity to/from this domain. Hence, we keep updating our database based on the wildfire result too. A related discussion for your reference: Suspicious DNS Query ad nauseam Thanks ... View more

Hello tbloyer, FYI. PA-7050 PA-5060 PA-5050 PA-5020 PA-4060 PA-4050 PA-4020 PA-3050 PA-3020 PA-2050 PA-2020 PA-500 PA-200 Max SSL inbound certificates 4,000 1000 300 100 300 300 25 25 25 25 25 25 25 Thanks ... View more