About mr.linus

I think you are confusing a v-wire setup with a tap setup. In v-wire you have:  client -- vwire --- PA --- vwire --- server Tap mode is just a mirror port. so its: client --- server and the PA is just listening to all traffic. No action can be taken. You just configure a mirror port on your switch and feed that to your PA. ... View more

Dear Please note that: using url categories in a security policy, instead of a security profile does NOT work if you do not have a license. You still need an active license to be able to use url categories. You do not need a license to use custom url categories, which you can then use in security policies as well as in security profiles. The use in policy or profile has nothing to do with license. ... View more

Dear, This will just send me the eicar test virus via email... I do not want to test Wildfire file detection. What I am looking for is a way to test the "Email Link" detection feature of Wildfire. This will investigate hyperlinks to see if the referred url is malicious. So I am looking for "fake" malware urls which will trigger the Wildfire. ... View more

Dear Amjad, And how do I create a ipv6 only rule? That is the question... ... View more

Hey Some more information on why default action is set to alert for POP3, IMAP and SMTP instead of block. * POP3/IMAP + block -> A virus mail will be blocked. BUT: You can not get a new email from this server until the virus email is deleted from the server. Because the whole POP3 session will be dropped each time you retry to retrieve you emails, since emails are not send separately with this protocol. * SMTP + block -> An SMTP 541 error message will be sent as part of the block action when a virus is detected. This will tell the mail server not to retry sending the message, allowing the firewall to drop the mail without the mail server trying to resend it. So I don't realy see why the default action would be just alert. I guess some smtp servers will not listen to these 541 error messages and keep resending the email... ... View more

Hey Marco, I think you are right here! Setting it to block for POP3 will definitely block it, but in the process "break" the POP3 account as you explained. Thank you for setting this straight. * POP3/IMAP + block -> You can not get a new email from this server until the virus email is deleted from the server. Otherwise the whole POP3 session will be dropped each time you retry to retrieve you emails. * SMTP + block -> An SMTP 541 error message will be sent as part of the block action when a virus is detected. This will tell the mail server not to retry sending the message, allowing the firewall to drop the mail without the mail server trying to resend it. So I don't realy see why the default action would be just alert. I guess some smtp servers will not listen to these 541 error messages and keep resending the email... You may also find that in the latest PaloAlto admin guide (6.1) there is no mention anymore of the "it's not possible to block POP3 virus". They just skim right over the topic and don't mention why the default action is alert instead of block for certain protocols. The default profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP, and POP3 protocols while blocking for FTP, HTTP, and SMB protocols. Customized profiles can be used to minimize antivirus inspection for traffic between trusted security zones, and to maximize the inspection of traffic received from untrusted zones, such as the Internet, as well as the traffic sent to highly sensitive destinations, such as server farms. ... View more

Hey Panos, I have a question regarding the config in knowledgebase document you provided (Error When Specifying a Tag for VWire Subinterfaces) Why do they not specify anything in the "Tags Allowed" field for the vwire1 and vwire2? Why not set "Tags Allowed" to 1 and 2 respectively? Is this necessary, or will adding the tag numbers here as well work but just be redundant since you configure it on the interface? Also, shouldn't 0 be added to the "Tags Allowed" for the default-vwire (so set it to: "0, 3-4094") to allow untagged traffic as well? ... View more