About gwesson

gwesson · ‎06-08-2015

It's just an informational signature that TLS1.0 was used in the handshake with a CBC cipher suite: https://threatvault.paloaltonetworks.com/Home/ThreatDetail/37144 This is pretty common, as a bunch of servers still support TLS1.0, and most clients support that as well. Generally it's not any kind of attack, as the signature only exists to let you track TLS1.0 with CBC. Cheers, Greg

gwesson · ‎06-05-2015

You'll want to set that traffic with application override. It's port based so it's a lot less granular than the standard app-id process, but should get you what you need. How to Create an Application Override Policy -Greg

gwesson · ‎06-04-2015

The timeouts set are for session table utilization, and activate when a packet is received. Every new packet on that session (5-tupple of sPort, dPort, sIP, dIP & protocol) will reset the timer. The app timeouts won't apply for active connections, just idle ones. There is a risk if you increase it because the firewall still has to do extra work to remove an idle connection if your session table utilization is very high (over 80%). If you were to bump the idle time up on all your apps, and you had a big spike of new sessions, the accelerated aging mechanism would need to find the oldest idle connection and kill it so that the new session could get allocated. Compared with a normal age-out mechanism, it's much more expensive in terms of CPU. The timeouts are based on data and analysis when the apps are put in or modified. Some customers find that they need longer idle timeouts for some apps because the software that uses those apps may be different. It's generally safe to adjust them how you want, just apply logic when you're doing it so you don't cause more work for the firewall. If an application will keep a connection idle for 3 hours sometimes, bump the app timeout to around that time. Don't put it at 7 days because you know it covers the 3 hours Cheers, Greg

gwesson · ‎05-18-2015

While there's no option to actually remove a rule once a schedule expires, you can supply a schedule to a rule. If you make it non-recurring, it will only apply for the date(s) and times you specify. Objects > Schedules > New. Create one that's non-recurring, and set it for the dates you want. Now if you apply that schedule to a security rule (Actions column of the security rule, "other settings" section), then it will only apply while that schedule is active. I like the idea of a rule that actually deletes itself. It would need to be aware of multiple users, commits, Panorama pushes, etc., but the schedule may be what you need for now. You could feasibly add a tag called "temporary" or something, then you can filter by that on your security policies and delete them en masse whenever you get around to it. Hope this helps, Greg Wesson

gwesson · ‎05-18-2015

PC and Mac are both included with the basic support license, but as Amjad mentioned you do need the Gateway license if you want to get HIP reports or use either mobile app (Android or iOS). -Greg

gwesson · ‎05-08-2015

That depends on your configuration (including licensed options). If it's HTTP or SMTP, and it tripped a virus signature, chances are it didn't even make it to the client. You can go download the eicar test file if you want to see it in action. You won't get any notification over email if it was blocked as SMTP though, so it all depends on how it was attempted to be delivered to the victim. I'd recommend checking out the logs, finding whose machine it was, and looking for the file name referenced. If you find it, and the machine has not executed it, just delete the file. If it's infected with malware, then you'll need to revert to a backup before the infection or remove it from wherever it is in terms of the malware itself. -Greg

gwesson · ‎05-08-2015

The ACC will show results based on the currently selected filter. The default is Last Hour, but that also depends on what you've drilled into. In the upper-right corner, there are several icons: In order, they are: Traffic Log; Threat Log; URL Filtering Log; Data Filtering Log; and HIP Match Log For this, I'd recommend hitting either Traffic or Threat, and then you can see all the details about it. As for the name, there are tons of vendors who all have different names for the amazing amount of unique malware (tens of millions at least). Naming them can become pointless after a while.Generally if it's listed as "generic", it's one of many, many files that behave maliciously but don't stand out as something that has a unique name. More times than not, it came from WildFire, where we look for malicious activity rather than try to give each file its own identity. That said, you can always check the Threat Vault: https://threatvault.paloaltonetworks.com/ Searching for 3130952 gives: https://threatvault.paloaltonetworks.com/Home/VirusDetail/3130952 In this case, it has details on four separate files we collected from various sources (possibly including the one you caught). The SHA-256 and MD5 links take you to the WildFire report, showing you all the details about it. Hope this helps! Greg Wesson

gwesson · ‎05-05-2015

You could always configure a special security rule for that application, and don't assign a security profile to it. It would need to be above any more generic rule that application would match, to prevent it from getting hit by the wrong rule. Policies > Security > Add Configure the application to be the one you don't want to get details on Do not select any profiles (unless you still want to do virus scanning, etc.) Select logging as desired (none, or the default of log at session end) -Greg Wesson

gwesson · ‎04-30-2015

To add some color to rsriramoju's statement, we don't supply specific details most of the time because that is part of our detection algorithm. Generally speaking, a domain is categorized as malware when there are malicious files hosted at the domain, a piece of malware makes calls to that domain, or similar actions. More times than not I've seen a malicious file hosted on a compromised server on the domain. It could be a legitimate domain, but due to some unpatched (or zero-day) vulnerability, a malicious actor has planted malware on a directory reachable publicly. Incidentally, it's also why reputation-based systems can fail to protect you. If you own the domain and have a Palo Alto Networks support contract, you can open a support ticket to uncover more specifics. Best regards, Greg Wesson

gwesson · ‎04-17-2015

The torch application has several components, one of which is a standard web browser. The web browser functions are no different than other browsers (Torch is actually a fork from the Chromium project, like Chrome and Safari) so there would be no reason to block that feature. Additionally, it can be a challenge since some browser plugins will allow the user-agent header to be modified. Without a hook into the OS, there would be no real way to see the actual application that made the request. The torch functions that would be blocked are the features unique to it. Additionally, the built-in games and music functions have their own sub-app which would also be blocked if you block the main "torch-browser" app in your security rules, or can be blocked without blocking the other functions of the application. If you block the torch-browser application in your security rules, it will effectively turn the torch browser into a standard web browser. It's rare that I hear specific browsers being blocked (like, allowing Chrome but denying Firefox), so that should be effective for what you're trying to achieve. If you want to actually block the download and install of the Torch Browser client, that can be done with a custom URL filter (torchbrowser.com is classified as Computer and Internet, so blocking that whole category would be overkill). Downloading exe files can be restricted with a file blocking profile. When using the Torch browser and going through a security rule which blocks that app, are you able to actually use the music functions or game functions? If so, that would be unexpected. Hope this helps, Greg Wesson

gwesson · ‎04-14-2015

URL logs are actually threat logs, listed as informational severity (as in the screenshot at the bottom of the page you linked). When you send the informational severity threat logs, that will contain the URL if you supply the $misc token. -Greg

gwesson · ‎04-14-2015

Great post, Justin. Thanks for the details and the laughs Ok, so to address a few things first: 1. You can add applications directly to security policy block rules. Some people prefer app filters, because then if something new gets added the rule is updated, but it's just fine to do it either way. 2. Just about every application has some changes, but not often to the base functionality of them. Adding a block for the Torch Browser (via the "torch-browser" application) should block the clients. 3. Port 80 does not equate to unencrypted, that's old-school port-based firewall logic rearing its ugly head. Torch isn't encrypted, so you're good, I just wanted to call out that ports don't automatically indicate the transport. You don't have the full security rule, but your block screenshot (6th screenshot) looks like it's blocking Bitcoin or Torch, on any port. That should be fine, and while I haven't tested it there may have been a very recent app change. The rule that you blanked out in your final screenshot should tell you what rule is allowing the action. Is it possible that your block rule is below that rule so that the block doesn't have a chance to take effect? Are you getting any shadowing warnings when you commit? Fare thee well on your battle. Greg

gwesson · ‎04-02-2015

There are a few things that you may need to check: 1. Make sure you created the client certificate using the Root CA in your cert profile, and that client cert must be installed (with the private key) into the computer's Machine store. The default is to install it in the user store, which will not work with pre-logon. 2. Ensure you have two separate Client Configurations set up on the portal (Network > GlobalProtect > Portals > portal_name > Client Configuration tab). Both need to use the pre-logon connect method. The first should have Pre-Logon selected on the User/User Group tab, the second should be whatever user groups you want (or "any" if you don't care). You can use SSO here as well if you like, it's after the pre-logon is done so you'll be fine with that. You'll need to choose the same certificate profile on the GP Gateway for each site, and it should be the same root CA. You may be able to get it to work individually, but I haven't attempted that and am not totally sure how that would be configured off the top of my head. Check out the following doc if you haven't seen it yet, it's great at the config: How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates The most common issue I see with the cert not found errors is if the client cert was either imported into the client store (which isn't available until the client logs in) or if only the public key of the client cert was imported into the machine store. You need the private key as well. Best regards, Greg Wesson

gwesson · ‎04-02-2015

1. Your ping is failing because your interface isn't connected to anything. If you're sourcing your ping from Ethernet1/2, which is showing as configured but down, there is no way it could work. Even though your default gateway is set to use Eth1/1, since that interface is legitimately down, the packet cannot be sent using that interface. It works without specifying the interface because it uses the management interface as you guessed. 2. Since your Ethernet1/1 (ISP interface) is DHCP, the default gateway is configured by your ISP and there is no need to configure the 0.0.0.0/0 route on Eth1/1. You can remove that static route from your virtual router since it is not needed. Regards, Greg

gwesson · ‎07-09-2014

Looking at a packet capture, the raw hex stream doesn't include spaces. So yours would be: \x5C005C0061006D006500720069006300\x I haven't tested this, but it may be worth a shot. I know the article linked shows spaces, but that seems odd to me because the pattern is specifying hex (using \x in front and back). Might be worth trying. -Greg

Member Since	‎03-27-2012 04:23 PM
Date Last Visited	‎10-10-2019 02:19 PM
Posts	731
Total Likes Received	296

Online Status	Offline
Date Last Visited	‎10-10-2019 02:19 PM

About gwesson

Re: Source User ID being replaced by service account for SCCM

Re: Commit error profile compiler can not find tid 40006 in threat database

Re: SSL Expired Cert and SSL decryption

Re: SSL Expired Cert and SSL decryption

Re: SSL Expired Cert and SSL decryption

Re: Intel MDS Attack

Re: Getting this from Vendor device eventid eq ike-recv-p1-delete

Re: Add LDAP GROUP as Administrator

Re: Certificate based authentication for IOS microsoft intune intergration

Re: aggressive-cleaning enable but still got disk usage email alert?

Re: Importing a WildCard SSL to use with GlobalProtect

Re: How to filter policies by zone

Re: Does it exist a CLI command that close all active sessions for a Zone?

Re: capturing ssl decrypted traffic

Re: Global Protect Client 1.2.0

Re: Python Script

Re: HELP: Clients going 'under the radar' when CP is switched on...

Re: URL Redirect

Re: Minimum allowed version of Global Protect

Re: Why Panorama commit is always not greyed out

Re: Poodle Bits Vulnerability

Re: tcp-fin and aged out

Re: tcp-fin and aged out

Re: Self destruct check mark for policies and schedules

Re: globalprotect client for android

Re: Find out more information from a listed Threat Protection

Re: Find out more information from a listed Threat Protection

Re: Higher gainer low threat

Re: URL categorization reasoning?

Re: Application Blocking

Re: How to forward traffic (URL) to a syslog server?

Re: Application Blocking

Re: Configuring Prelogon for GlobalProtect

Re: Ping thru device and static route qestion

Re: Custom App-ID SMB Signature Assistance

Unlock your full community experience!

About gwesson