This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About cenders

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
cenders
‎04-21-2024
since ‎07-12-2011
L3 Networker
User Activity
User Profile
Latest posts by cenders
View All
User Badges
Community Statistics
Member Since ‎07-12-2011 07:50 AM
Date Last Visited ‎04-21-2024 10:10 PM
Posts 56
Total Likes Received 6

Re: Multiple versions needed to access different portals

by in GlobalProtect Discussions
‎04-21-2024 06:49 PM
‎04-21-2024 06:49 PM
The latest Global Protect VPN client can access all lower versions of Palo Alto firewalls.  The agent does not need to match the PanOS of the firewall you are connecting to. ... View more

Re: SMTP Brute Force - different source IPs

by in Custom Signatures
‎10-13-2022 03:47 PM
1 Kudo
‎10-13-2022 03:47 PM
1 Kudo
Sorry, I'm slow... I haven't had time to investigate your proposed solution. ... View more

SMTP Brute Force - different source IPs

by in Custom Signatures
‎08-10-2022 06:56 AM
1 Kudo
‎08-10-2022 06:56 AM
1 Kudo
The scenario I am seeing is SMTP brute force attempts against a username, but each time the source IP address is different, I guess they are using a botnet.  Exchange will tarpit the IP for 30 seconds for the failed authentication, but it doesn't matter as the next attempt comes from a different IP address.   Can someone suggest a custom signature, or modification to the existing smtp signature to stop these types of attempts (blacklist the IP).  The accounts eventually lock out as a result.   Second scenario is login attempts against usernames that no longer exist... I'd love to maintain a list of ex-employees and then blacklist any IP which tries to authenticate against one of them. ... View more

URL Block / Continue on SSL - doesn't continue, page just refreshes.

by in General Topics
‎09-02-2020 12:49 PM
‎09-02-2020 12:49 PM
I have a "continue" policy set on newly registered domains category.  If I visit a site with https I see the continue page but upon clicking continue the block page just refreshes (the guid in the address bar changes).     If I visit the site without SSL, the block page appears, and clicking continue will correctly take me to the site.   What have I misconfigured?  I do not have SSL Decryption set up in general and did follow the KB article "How to Serve a URL Response Page Over an HTTPS Session Without SSL Decryption" and I am not getting any sort of cert error. ... View more

Re: Phone calls random failing to connect at remote locations - Cisco Call Manager

by in General Topics
‎04-17-2020 11:38 AM
‎04-17-2020 11:38 AM
Thank you, this also solved the problem for our network as well.  Moving away from an MPLS to a VPN and calls couldn't exit the remote site.  Calls to the remote site worked fine.  Changing to UDP worked great. ... View more

Re: MS O365 ip address range

by in General Topics
‎02-19-2020 02:42 PM
1 Kudo
‎02-19-2020 02:42 PM
1 Kudo
I thought I'd comment for anyone reading this who doesn't have the systems to implement Mindmeld, and is looking for an on-prem Windows solution.   Microsoft has a powershell method of getting the latest o365 IP Addresses into a text file. You can then host that file on an IIS server, script Powershell to keep it up to date and point a PAN EBL at this file.  Works great.  One catch, the Microsoft Powershell script puts CR-LF at the end of each line and apparently EBL can only handle LF.  So you'll need to edit the powershell script and add this line after the out-file statement:   (Get-Content $datapath -Raw).Replace("`r`n","`n") | Set-Content $datapath -Force      That will replace the CRLF with just LF.   Script from MS is here https://docs.microsoft.com/en-gb/Office365/Enterprise/office-365-ip-web-service#example-powershell-script   ... View more

Re: Credential Phishing with credential submission method as Use Domain Credential Filter

by in General Topics
‎06-18-2018 03:36 PM
‎06-18-2018 03:36 PM
I'd like to know the same, for I'd like to implement but I don't want to set up an RODC for the sole purpose of supporting this. ... View more

Re: Palo Alto Networks recommends deferring upgrades until March 1

by in General Topics
‎02-29-2016 12:54 PM
2 Kudos
‎02-29-2016 12:54 PM
2 Kudos
I suspect that is due to Feb 29th leap year?  My downloads fail with:     ValueError: day is out of range for month Failed to load into software manager. Please retry. Post processing failed. Please retry.   ... View more

Re: Blocking WORD docs which contain macros

by in General Topics
‎09-14-2015 08:08 AM
‎09-14-2015 08:08 AM
The macros inside these malicious word docs are password protected, so I'd have to look for a string blocking all macros, of which I don't know how to do.  There is text inside each of these word docs that tries to make the user click the to disable extended security, so maybe I can scan for those words instead of looking for macros. ... View more

Blocking WORD docs which contain macros

by in General Topics
‎09-11-2015 09:28 AM
‎09-11-2015 09:28 AM
In the course of a regular day, it is not uncommon to receive regular legit word documents from people via email.  However, increasingly we are getting documents pretending to be resumes, and the .doc file contains macros.  Our version of Word 2013 treats these as protected documents and the macros do not auto open like the malicious user intended. However, the content of the word document tries to trick our end user into clicking the "allow content" button.  Even if they do click, our firewall is blocking the attempted EXE download.  However, should the next round of word documents get more clever and change the download into something without an extension (possibly renaming during the download?) then I'd like to investigate the option of preventing Word documents with Macros from coming in through the firewall.   Is that possible using a data filter?   Corbett. ... View more

Re: Guest Access via Captive Portal - problem with page not always appearing

by in General Topics
‎02-04-2015 01:24 PM
‎02-04-2015 01:24 PM
For testing purposes, does anyone know if I can configure the captive portal to be HTTP instead of HTTPS? ... View more

Re: Guest Access via Captive Portal - problem with page not always appearing

by in General Topics
‎02-04-2015 09:38 AM
‎02-04-2015 09:38 AM
Here is a capture of my security rules regarding the guest network, in case that helps. ... View more

Re: Guest Access via Captive Portal - problem with page not always appearing

by in General Topics
‎02-04-2015 08:26 AM
‎02-04-2015 08:26 AM
Tijl, along the lines of your thinking with regards to HTTPS, I have read elsewhere that Apple's "Captive Network Assistant" has issues where the portal is HTTPS.   Apple's initial HTTP GET request (for the success.html) then being redirected to an HTTPS captive portal is the problem here.  But who in their right mind would have a captive portal that isn't HTTPS?   I guess if I use wifi isolation (preventing wifi clients from talking to each other) could a sniffer still see plain text credentials of the portal?  It would be easy to then sniff the portal password from other clients. ... View more

Re: Guest Access via Captive Portal - problem with page not always appearing

by in General Topics
‎02-04-2015 08:03 AM
‎02-04-2015 08:03 AM
Hardik, I don't want to whitelist the Apple URLs because I want the Apple device to correctly open the CP upon trying to join the Wifi network.  I have seen other CP solutions work just fine with Apple devices, I'm lost trying to figure out why it isn't working 100% with Palo Alto. ... View more

Re: Guest Access via Captive Portal - problem with page not always appearing

by in General Topics
‎02-04-2015 07:59 AM
‎02-04-2015 07:59 AM
Tijl, I think the problem started with iOS 7 and anything above.  Current iPad I'm testing with is running 8.1.3.  I do have security rules related to the captive portal, such as allowing DNS without requiring identity and regular http and https traffic for "known users" (which forces the CP).  I have a captive portal rule with "web-form" as the action for http and https.  I think the setup is fine as I don't seem to have a problem with windows based computers going through the CP. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎04-21-2024 10:10 PM
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks