About fhu_omi

Hi @aleksandar.astardzhiev ,   this does not work see kb https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0 is written: When multiple group-mappings are configured with same base dn or ldap server, each group-mapping must include non-overlapping groups i.e include group list must not have any common group.   But for test purpose, you need to considering, that not every web serivce is protected by the user credential protection. If the traffic is classified as one of the following services, then user credential prevention does not pop in: https://live.paloaltonetworks.com/t5/customer-resources/trusted-app-ids-that-skip-credential-submission-detection/ta-p/183595   i test on facebook login site, which is protected by the pan user cred prevention. i have a UPN estuser1@testdomain.com and SAM testuser1.   And PAN blocks as soon the string testuser1 is seen in a username field:   testuser1 -> detected testuser1@ -> detected testuser1@testdomain.com -> detected testuser1@blabla.com -> detected testuser12 -> not detected testuser12@ -> not detected   i looks like, the domain is not checked for this Group Mapping credential submit method. I need now to setup a RODC to check the behaviour with the Domain Credential Filter method.   Kind regards ... View more

Hi @KanwarSingh01,   The usecase is, that we saw on firewall dns request which where sinkholed. Now we need to know which process was the cause. We nailed it down to the svchost.exe dnscache, but we need process which made the dns request to svchost.exe dnscache. As i understand, if a process is programmed to use the api call DnsQueryEx, then is no svchost.exe involved and Cortex XDR is able to show direct the right process.   Kind regards FH ... View more

Dear @etugriceri  I will test it, then we will see if there existing modules will cover this pointer vulnerability. There is a test program out now: https://pythonrepo.com/repo/kimusan-pkwner ... View more

Hi @NathanielM ,   as in the other articel is writen, it depends on the DNS Split Tunnel Feature setting. It is not written how it depends, but if you read this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBJ5CAO&lang=en_US%E2%80%A9 maybe you find the right Split Tunnel Option. I can not test, but i have a customer with the same problem. I have to test this also with that customer, if he has time. ... View more

Hi,   With GP 5.2 and higher you should not have anymore Problems, see: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UNoCAM ... View more

Hello,   Is there a possibility to extend the xql search to the firewall logs "Session end reason"? Because, if i see sesssion end reason Threat, then i'm not interested because it is blocked. But in the xdr_data dataset is the session end reason not present. How can Cortex XDR stiching the Agent Logs togther with the firewall logs? Do they build a key in both datasets, like time, srcIP,dstIP, srcPort,dstPort,Protocol?   ... View more

Hi All, i would provide you the secure solution, because LLMNR enabling is not a good idee-> https://attack.mitre.org/techniques/T1557/001/ We have been working with Microsoft and PAN for several months. Enabling LLMNR should not be enabled from a security perspective, so this is not the solution.   If LLMNR was disabled via GroupPolicy, mDNS was also disabled. This error was corrected with KB5001330 with two independent reg keys. However, if LLMNR was disabled before KB5001330, mDNS was implicitly disabled as well. With the KB5001330 install, LLMNR remained disabled by GP policy, but mDNS was re-enabled and caused the GlobalProtect problem.   With this settings you are save from the LLMNR Security flaw and GP is connecting fast: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMDNS                              REG_DWORD=0 (Off)   Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast                        REG_DWORD=0 (Off)   Have a nice day ... View more

Hi all Panorama Users,   Important to know is, that address groups are not valid in the exlcude section without a trick for devices managed by panorama.   The issue is related to the usage of the address group in the exclude list. The exclude list is not one of the areas where Panorama considers the address group to be used. Therefore, it is expected for the push to fail if this group is not referenced elsewhere. When the option "Share Unused Address and Service Objects with Devices" under panorama settings is unselected, then the shared objects/group will not be sent to the device. As a result, the commit on the device will fail.   To resolve this issue, you have two options: 1- Configure the Subnets directly on the exclude list.-> not prefered, because maintaining could be worse if you have multiple settings with that IPs 2- Configure the individual address objects on the exclude list. - If push fails, enable/check the "Share Unused Address and Service Objects with Devices”, then commit and push. Panorama > Setup > Management > Panorama Settings -> Depends on the box limit of Object count, if you can use this solution 3-prefered in my eyes: - Configure a dummy security rule in panorama to the bottom of the policy, where it will never be used, and add to this rule the address group. -> This forced the panorama to push the address group to the firewall - Commit and push. Only to the device group which is desired to use this address group in splittunneling. (Edit selection and choose the target device group, then push). - Check firewall and make sure the dummy rule is added successfully to the security policies. - Add the address group on GP gateway, in the Exclude area. - Commit to the panorama, then Commit and push, to the target template Stack.   happy firewalling ... View more