This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About djr

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
djr
‎12-10-2024
since ‎11-18-2011
L4 Transporter
User Activity
User Profile
Latest posts by djr
View All
User Badges
Community Statistics
Member Since ‎11-18-2011 07:49 AM
Date Last Visited ‎12-10-2024 12:32 PM
Posts 111
Total Likes Received 13

Scheduled SaaS Report

by in General Topics
‎04-24-2017 12:57 AM
‎04-24-2017 12:57 AM
I feel I must be missing something obvious with the SaaS report.  I have set a schedule up to create it weekly and if I hit "Run Now" I get the nice graphical report, but if I view the output of the scheduled run , I get a very plain tabular list of App Subcategory/App name/Bytes/Sessions/Threats.   How do I get the nicely formatted report produced on a schedule? ... View more

Re: Configuration Update Descriptions

by in General Topics
‎04-10-2017 01:08 AM
‎04-10-2017 01:08 AM
Raised an FR for this, thanks ... View more

Configuration Update Descriptions

by in General Topics
‎03-31-2017 01:59 AM
‎03-31-2017 01:59 AM
Hi all,  The commit description is potentially really useful for tracking changes and linking back to change tickets, but I can't see where I can display a list of commits with the descriptions, to review what has been done.    The configuration log shows individual changes which is good detail, and the config comparison shows the description against each version.  The task list gives a link to pop it up, but it's not a screen you can use to extract a report of all changes, or review changes applied historically (filter by date etc).   Is there  way to do this, or should I file a FR?   Thanks ... View more

Re: DNS traffic identified as sophos-live-protection

by in General Topics
‎12-22-2016 02:57 AM
‎12-22-2016 02:57 AM
Terje,   I looked into this a while back but I didn't actually look closely at the traffic content.  I don't think this is mis-categorised, sophos admit they use port 53 for their updates but don't mention that they actually tunnel it in DNS requests so I presumed the traffic was going directly between our clients and sophos until I noticed the flows were coming from our DNS server this morning.   I think I need to do some more digging because from what I can see each session transfers around 600kB, so if that means the actual signature updates are passed through the DNS servers, it may be a good reason to move away from sophos.  If they just check to see if they need updates that way, it would be less of an issue, but 600kB seems a lot just for that.   Thanks,   ... View more

Re: DNS traffic identified as sophos-live-protection

by in General Topics
‎12-22-2016 01:28 AM
‎12-22-2016 01:28 AM
Hi Terje,   I am seeing this on my network but I still think this is a mis-classification.  If it was genuine live update traffic, surely it would not be routed via our DNS servers but instead would go directly from the client to sophos?   Did you manage to confirm that genuine sophos live update traffic is still routed through the client's DNS servers?  If so, this is bad because it is putting a lot of extra load on our domain controllers and BIND servers.   Thanks David ... View more

Re: PAN-OS 7.1 change to query interpretation

by in General Topics
‎12-14-2016 09:10 AM
‎12-14-2016 09:10 AM
I raised it with support and they have confirmed it's a bug so it will be fixed in a future patch release.   Thanks ... View more

Re: PAN-OS 7.1 change to query interpretation

by in General Topics
‎12-05-2016 07:44 AM
‎12-05-2016 07:44 AM
It's a custom report in Panorama, using the Panorama Data Filtering log.  As I said, it is querying the whole filename including the suffix, it is just that the query will no longer allow me to use the "." character in the query. ... View more

Re: PAN-OS 7.1 change to query interpretation

by in General Topics
‎12-01-2016 08:00 AM
‎12-01-2016 08:00 AM
Except there is no filetype variable available in the query builder? ... View more

Re: PAN-OS 7.1 change to query interpretation

by in General Topics
‎12-01-2016 07:06 AM
‎12-01-2016 07:06 AM
I dropped the dot in the filetype to make the report work again - that's what I am posting about.  If you include the dot, the report finds no matches.  However it used to work fine in V6.1 with the dot included.  Without it, the query will match any filename with swf in it rather than only those with ".swf".  Still not perfect but more likely to be an extension than without the dot.   That's why I asked if there is a way to allow a dot in the query string now that V7.1 behaves differently ... View more

PAN-OS 7.1 change to query interpretation

by in General Topics
‎12-01-2016 04:44 AM
‎12-01-2016 04:44 AM
I have a report which has been working fine for ages then it has just stopped, possibly when we upgraded from 6.1.14 to 7.1.6 The report has just stopped returning any data, so I looked into the query string and found that one element of the query seems to be causing the problem   The original query was: ((filename contains DVD) or (filename contains dvd) or (filename contains 1080p)) and not (filename contains .swf) and (user.dst neq '')   But it works if I take the dot off the swf file extension so this works: ((filename contains DVD) or (filename contains dvd) or (filename contains 1080p)) and not (filename contains swf) and (user.dst neq '')   So that means that between v6.1 and 7.1 the dot has become significant.  I tried a couple of ways to "escape" it, but neither worked, so is there a way to allow a dot in the query string? ... View more

Re: AWS Servers trigger Vulnerability

by in General Topics
‎12-02-2015 07:06 AM
‎12-02-2015 07:06 AM
Thanks, that's what I expected and now having phrased my question correctly, my support partner is doing just that.   Regards ... View more

AWS Servers trigger Vulnerability

by in General Topics
‎12-02-2015 03:04 AM
1 Kudo
‎12-02-2015 03:04 AM
1 Kudo
We are seeing a high number of HTTP Non RFC-Compliant Response Found Signature ID : 32880  CVE-2010-2561   All are logged from aws servers, evenly distributed across a large number of servers - 173 in one hour, each with 300-500 hits.  I have packet captured the vulnerability and it is logging a seemingly innocuous XML file.   I suspect this is not a problem, but is something amazon have set up on their servers which is causing false positives against this signature.   the data returned is this: <? xml version="1.0 "?> <cross-domain-policy> <allow-access-from domain="*" to-ports="*" /> </cross-domain-policy>   It's not causing a problem, but it's showing as more than 25% of all my vulnerabilities so it's masking other issues. Do PAN watch this?  If not how do we feed back regarding signatures? ... View more
Labels:

Can't Email Monthly Reports?

by in General Topics
‎10-21-2015 01:37 AM
‎10-21-2015 01:37 AM
I can generate monthly custom reports, andI want to mail these to management but the email scheduler is only giving me the option for daily or weekly email schedules.   "Management" unfortunately aren't very keen on logging into the Palo to retrieve their reports, they want them sent.  Is there a way to schedule monthly reports? ... View more

Re: Delay with User-ID and Captive Portal

by in General Topics
‎05-15-2015 08:49 AM
‎05-15-2015 08:49 AM
Hi Amjad, OK as I said I haven't used the captive portal yet, but the point still remains, in fact that document you linked to shows the problem. I can see that logs have been written before the user is resolved, so that's after the security policy has been processed.  As the captive portal rules are run earlier than that, it is even more likely that the user won't have propagated to the database, so authenticated users will get prompted with the captive portal. ... View more

Delay with User-ID and Captive Portal

by in General Topics
‎05-14-2015 07:36 AM
‎05-14-2015 07:36 AM
HI, This is only theoretical for me as I don't use captive portal (yet) but I noticed a problem.  I am successfully authenticating pretty much all my users, but quite often I see a few flows at the start of a user session which doesn't have a user-id.  A few milliseconds later the user-id is populated, so I guess this is just down to a slight delay between the first packets hitting the firewall and the user-id coming up with an answer. This is no big deal but it made me think if I did have a captive portal to identify all unknown users, a domain-authenticated user would still find themselves presented with a captive portal login page if they fire off an HTTP request very early on in their session. Is this a known behaviour?  It seems like a bit of an issue to me.  I know my users would moan about it. Cheers David ... View more
Labels:
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎12-10-2024 12:32 PM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks