About LCMember2860

LCMember2860 · ‎10-09-2012

Brightcloud were completely down for several hours this morning - no URLs that had to be sent to the cloud db were resolving and I couldn't even look up URLs on their website (in the end we had to allow the "not-resolved" category to restore level of service to our users). Its supposed to be a distributed cloud based solution, I'm not impressed that they can suffer such a major failure.

LCMember2860 · ‎06-07-2012

(receive_time geq '2012/06/07 10:00:00') AND (receive_time leq '2012/06/07 11:00:00') you can also go into the ACC, choose a custom time frame and then click on the log icon, it'll generate the filter for you.

LCMember2860 · ‎05-09-2012

hopefully you're correct about PAN-OS5 - I expect app-id to take care of this for me, I don't want to have to analyse which URLs twitter (for example) uses and whitelist them. The current implementation may be effective for blocking by application, but not for allowing by application where those apps are dependent on web-browsing, this is fairly major drawback IMO. Your suggestion of allowing the twitter app and blocking other social-networking by app-filter won't work because not every social networking service is defined as an app, I'd still need to block the URL category and then I'm back to having to whitelist URLs to get twitter to work.

LCMember2860 · ‎05-09-2012

I want to allow access to Twitter, but block all other social-networking services. The obvious approach is to allow the Twitter application and then have a rule blocking the social-networking category for web-browsing and ssl, but this doesn't work, Twitter gets blocked also. In order to allow Twitter to work I have to add twitter.com and *.twitter.com to a custom category and allow this as well. Surely this defeats the point of having web based applications defined seperately, I have the same problem trying to allow Google Docs but block other file sharing apps - I have to add docs.google.com to a custom category. If I go to www.twitter.com in a browser, should the firewall not recognise this as "application: twitter"? Or am I configuring it wrong? Whitelisting URLs (particularly for backend API and content server urls) in order to get applications to work is not scalable and runs contrary to Palo-Alto's claims to be application-aware. Liam.

LCMember2860 · ‎05-04-2012

thanks Doris.

LCMember2860 · ‎05-04-2012

has 4.1.5 been withdrawn - I don't see it on the download page any longer though 4.1.4 and 4.1.6 are there. if so, why?

LCMember2860 · ‎05-03-2012

Is there any update on the issue discussed here - https://live.paloaltonetworks.com/message/7468 as mentioned in that thread, if you allow translation you can access sites in blocked categories. This is despite Google including the original URL in the translated URL. IMO the PAN firewall should be able to parse out any additional domains in a URL and filter on them - in the case of Google Translate, there is an application defined for this so it should be possible to do "if application = Google Translate, find the extra URL category and filter on that". We're moving from a Fortinet system that does exactly this, it parses out all domains in a URL and filters on the most restrictive one - PAN's URL filtering is deficient in this regard by comparison.

LCMember2860 · ‎03-30-2012

seeing a lot of sessions in the session-browser with a source ip of 0.0.0.0 (in the internal "trust" zone) - these tend to be UDP protocols, RTP, bittorrent, skype etc and the session browser shows them not matching any rule or having any bytes. Are these sessions in the process of being setup?

LCMember2860 · ‎03-09-2012

I guess this shows the level of interest in v6 I've played around with it a bit more and it appears you can mix v4 and v6 address in a security rule but not if you are doing negative matching in which case the v4 address gets ignored. Is this a bug, known behaviour, anyone?

LCMember2860 · ‎03-06-2012

that's what "alert" does and this may be applicable in a small corporate environment where you can follow up with the end-user in question In our environment we need to be able to block and unfortunately "block" in this case is not usable. As you suggest I'll request a feature enhancement.

LCMember2860 · ‎03-06-2012

is there an issue with doing this - I have a rule set to match any address except one particular IPv4 subnet (ie using the negate function) - works fine. I added an IPv6 prefix to the rule (still negated) - now the rule negatively matches the v6 address, but no longer the v4 address. Remove the v6 address from the rule and the v4 address negatively matches again. I'm therefore assuming I have to keep v4 and v6 rules separate, but I can't find this documented anywhere.... PAN-OS 4.1.3 Liam.

LCMember2860 · ‎03-05-2012

I understand why the firewall is limited in what it can do here, but that doesn't change the fact that this function is unusable in its current form - there should be some way of blocking infected POP3 messages that does not break POP3, otherwise what's the point of having the functionality? Liam.

LCMember2860 · ‎03-02-2012

a further question about AV - I applied a profile that had "action=block" for POP3 and IMAP. whilst the policy does detect the Eicar virus in incoming emails, in the case of POP3 it drops the session when the user tries to download his mail, with no notification to the end-user. Because of the way POP3 works, he then can't receive any further mails until the infected mail is manually removed from his inbox - so the "block" action for POP3 is effectively unusable (IMAP is similarly opaque but at least the end user can delete the offending mail themselves) Are there any plans to improve this function? - I appreciate the PAN firewall is not a proxy but most other firewalls I've used that offer email AV just strip out the infected attachment allowing the overall POP3 transaction to complete, whereas PAN's implementation breaks the protocol. Liam

LCMember2860 · ‎02-28-2012

I have been disabling "server response inspection" by default in all my policies as it is documented in a number of places (including independent group tests) that this improves the overall firewall performance, and I was under the impression that SRI was only useful in certain data-centre environments that do not apply to us. However while testing some policies today I notice that with SRI disabled anti-virus does not work (testing with . I suppose logically this makes sense, the virus is going to be in the server response, but I cannot find this documented anywhere - is this expected behaviour? Liam.

LCMember2860 · ‎02-28-2012

thanks

Member Since	‎11-07-2011 07:09 AM
Date Last Visited	‎11-21-2023 07:24 AM
Posts	35
Total Likes Received	2

Online Status	Offline
Date Last Visited	‎11-21-2023 07:24 AM

About LCMember2860

Re: Safe Search Enforcement

Re: big disparity between Detailed and Summary logs

Re: big disparity between Detailed and Summary logs

Re: big disparity between Detailed and Summary logs

big disparity between Detailed and Summary logs

monitor nfs via snmp

Re: API test url category

API test url category

YouTube mobile app

Re: Panorama 6.0

session browser source=0.0.0.0?

Re: Log filterting on the firewall

Re: Error in commit after upgrade to 10.1.5-h1

Re: URL categories not being resolved

Re: Log filterting on the firewall

Re: application vs url categories dependencies

application vs url categories dependencies

Re: Google Translate

4.1.5 withdrawn?

Google Translate

session browser source=0.0.0.0?

Re: IPv6 and IPv4 addresses in same security rule?

Re: Blocking & AV

IPv6 and IPv4 addresses in same security rule?

Re: Blocking & AV

Re: Blocking & AV

Anti-virus and "Server response inspection"

Re: URL-filtering response page URL variable