About mikand

By the way, how come that for example the SIP context is closed by default? Seems like an neverending stream of feature requests to the SE's 😃 ... View more

Would it? Cant you through zones define which networks are expected on which end of the vwire? Perhaps it needs a feature request similar to how vwire filters 802.1Q tagged vlans. ... View more

Why not implement support for TLS 1.1 and 1.2? I really dont get it... ... View more

Did you notify the technical support of your finding? ... View more

I personally somewhat agree with the difference that I dont want to see two branches but rather a single one meaning that the current rules (well db) should be made "open" for paying customers. That is not only it would be easier to duplicate an already existing threatid/appid and add/remove whatever is needed but as you mentioned when debugging to find out if its a false-positive (or false-negative). This could of course also be handled through NDA but best would be if the db would be available through the gui/cli. One argument against this might be that the bad guys (and girls) would then will be able to analyze their way through a PA but the same way as security should never rely on obscurity (even though you perhaps shouldnt bring everything onto the lap of the attacker) I think the same applies in this case (open source vs closed source). The bad guys (and girls) could just bruteforce their way through a PA before releasing the exploit (meaning not having the db open for customers doesnt really block any bad guys/girls) and the competitors has most likely already tools to dig into the internals of the PA device (which also means that not having the db open for customers doesnt really block any bad competitors) - which leaves us that the only thing that NOT showing up how threatid/appid's are constructed is protecting from is the paying customers... which is somewhat akward... So TLDR: I would also like PA to release actual content of both threatid and appid which would aid during debugging but also when one need to construct custom threatids/appids... ... View more

I was thinking of this A correct behaviour from PA would be to completely remove that line (including any \r\n) and not as not just "null" the value. ... View more

Stripping the x-forwarded-for header seems bogus currently, also not stripping it will lead to informationd disclosure: ... View more

However that stripping is somewhat bogus within PA since PA cant alter the length of the packets it will just replace the "x-forwarded-for: x.x.x.x" with "x-forwarded-for:         " which then will fire some IPS's all around the internet regarding malformed http-request (according to another thread in there) - dunno if that has been fixed in PA yet or not... ... View more

In order to replace a Bluecoat with a PA, except for the configuration etc the steps needed are: 1) Change webbrowser settings so the webbrowser wont use a proxy for the traffic. 2) Make sure the clients has default route so any internet ip-addresses will be routed through your PA device. 3) Install PAN-agent or TS-agent (the later if a citrix farm is being used for the browsing) to have logs of which user did what on the Internet. However if you still wish to use an explicit proxy I would set this up so the flow would become: Client <-> Proxy <-> PA <-> Internet and make sure that the Proxy will be able to be transparent towards the PA device. That is the traffic leaving the proxy will have the clientip as srcip. Squid among other proxysolutions can do this. Edit: Look at for some more information. ... View more

The drawback of such setup in my opinion is that you will get half of everything. That is a single session will actually take two sessions within the PA. ... View more

By the way there are two modes of SSL decryption within PA: 1) SSL Decrypt Client traffic is being intercepted towards outbound server (MITM-attack). One SSL session towards client and another towards server. Client should have the CA which the PA uses to create the MITM cert towards the client as a trusted CA to not get any warnings. This is for the case when you have control of the clients (but not the servers). For example if you want to control and log what the clients at your company does on the Internet. 2) SSL Inspection Client setups a SSL session straight to the server. In this case there is only a single SSL session (between the client and the server). Because the PA unit has got the private key of the server PA can then inspect whats happening within this SSL session and if something bad is detected it can kill the session. This is for the case when you have control of the servers (but not the clients). For example if you wish to protect your DMZ webservers against evil clients on the Internet. Note however that this method doesnt work if DH (Diffie-Hellman) is being used in the SSL session. SSL Inspection is the same method as if you do a tcpdump on the network (or on the server) and feed wireshark the private key (again only works if DH is not being used). ... View more

The PA unit doesnt do any analyse on its own. You setup firewall rules on which traffic (files) to be sent to wildfire for analyze (allow-and-forward). If you have a WF-500 appliance the files never leave your datacenter (compared to the cloudbased Wildfire where the files are sent into some Amazon EC2 cloud setup) unless when malware is detected then the malware file is being forwarded to PaloAlto so a signature will be created. Once the files has been sent the first check (unfortunately) is if the binrary is signed by a trusted CA or not - if its signed it wont be checked (I hope this will change in future looking at cases such as stuxnet and flame who used real CA certs from Realtek (among others) to sign their malware) samt goes if the file has already been investigated previously. Once its being checked and if identified as malware the signature for this file will be available within one hour for those with a wildfire-subscription - the rest will have to wait for the weekly updated of the threat db to get the same signature. ... View more

5.1.1 is Panorama and not PAN-OS as far as I know... ... View more

I think you must be superadmin to gain access to the /debug page. ... View more