About kadak

Hello bgranholm, The DNS decoder does not enforce a length check for EDNS, and so the traffic should still be identified as DNS. Thanks and regards, Kunal Adak ... View more

Hello, Trying to comprehend your above statement and correct me if I wrong over here: With the same email server profile; if you keep the "Override Email Addresses" field empty - send test email option works and if you include emails addresses in the "Override Email Addresses", send test email option doesn't work? Regards, Kunal Adak ... View more

Hello Mario, If you include web-browsing in the application column and 60000-65000 in the service column, that security policy would only allow web-browsing traffic on ports 60000-65000. You would need a separate rule to allow web-browsing on its default port (80). Best would be to include web-browsing in the application column and mention all the ports in the service column (standard and non-standard ). Hope that helps! Thanks and regards, Kunal Adak ... View more

Hello Mario, Threat vault shows that we have 7 signatures for crilock - one of them is crilock.a Thanks and regards, Kunal Adak ... View more

Hello Fahad, You may want to ensure that they imported both keys. If you just imported the public key (certificate) it won't work. We need the private key to be able to be able to encrypt outbound data. Verify that the certificate you are importing is of the same key length/type and has the similar hash algorithm to the one generated by the firewall. The certificate should be RSA 2048 with SHA1 hash.  The firewall generates certificates with usage as: Digital Signature, Key Encipherment, Key Agreement, Certificate Signing, Off-line CRL Signing, CRL Signing (ae) Hope that helps! Thanks and regards, Kunal Adak ... View more

Hello jambulo, Yes this is expected for incomplete, insufficient data and non-syn-tcp.  Before the 3-way handshake completes and the session's application is detected as incomplete the security policy lookup for the session will match the first security policy which matches all attributes except application.  Once the 3-way handshake completes and the firewall sees a data packet which can be used to identify the app the session will shift the application to the appropriate value and do another security policy lookup. If a session never completes the 3-way handshake the application will stay as incomplete and the session will be logged after the timeout with the policy which the session first hit. Maybe an easier way to explain it.  When the first TCP packet is received (SYN), the firewall must setup a session.  Since the application can not be detected on a TCP session until at least one data packet traverses the device the application will be incomplete.  For the firewall to determine if it should even allow the SYN packet through it must do a security policy lookup. Because the application is not known when the SYN packet is received the application portion of the security policies can not be applied.  As a result, the security policy lookup is performed against the 6 tuples of the session, source and destination IP and port, ingress interface (actually zone) and protocol.  The first policy which matches these 6 tuples will be used to allow the SYN and any additional packets that traverse the firewall before the application is identified. Hope that helps! Thanks and regards, Kunal Adak ... View more