About mikand

Wouldnt it still be possible to create a md5 of a stream since md5 works with 512bit blocks? Cryptographic hash function - Wikipedia, the free encyclopedia MD5 - Wikipedia, the free encyclopedia ... View more

In this case would it be best to create a custom app or a custom signature? I (currently) think that creating a custom signature would be better that acts on all http traffic and by that set an default action of block (or alert). ... View more

Other things to take into account (if the download actually passed the PA) is if ssl was used or not and if so did you have ssl-decryption enabled? If you have a copy of the malicious file you could try to upload it manually to wildfire and see which opinion wildfire has on the file in question (first login to https://support.paloaltonetworks.com): https://wildfire.paloaltonetworks.com/ ... View more

The external lookups are towards resolvers or authoritive dnsservers? Why not use two (well four for redundancy) physical machines? One for internal dns and one for external stuff on each vlan. ... View more

It doesnt seem to be part of the internal whitelist at least: Also it seems to be hosted by amazon in case that somehow affects this "bug" (or whatever it is thats happening to you): https://www.ssllabs.com/ssltest/analyze.html?d=www.wetransfer.com PA devices have had problems with TLS in the past... even if SSL 3.0 is supported the only support ciphersuits are TLS-based: https://www.ssllabs.com/ssltest/analyze.html?d=www.wetransfer.com&s=176.34.236.232 Cipher Suites (sorted by strength; the server has no preference) TLS_RSA_WITH_RC4_128_MD5 (0x4)     128 TLS_RSA_WITH_RC4_128_SHA (0x5)     128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)     128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)     168 TLS_RSA_WITH_AES_256_CBC_SHA (0x35)     256 ... View more

Where can I find a statement in the manual that proofs this? As far as I know the PA will only check the cert for revocation when its being part of the decryption. If the session is not being intercepted then there will be no checks for revocation (how would the PA otherwise be able to display an error message for the client (that the cert is revoked) if the ssl session isnt decrypted?). ... View more

I disagree with you... this is both a valid AND genuine scenario. Here you have at least two valid scenarios where this apply: 1) Schools and/or at work where the client is trying to bruteforce their way through the url-filter. Since the client already has control of the server (the one at home) and obviously can run stuff on their client (at school/work) and hey presto - the expensive firewall is suddently bypassed. 2) Similar to above but where the client gets a botnet binary or some other 0day malware and hey presto - the expensive firewall is suddently bypassed. One could argue that there are workarounds for both cases above but the thing here is that this test shows that (in the public eye) the AppID in PaloAlto is "worthless" (which of course it isnt but using arguments that "this is not a valid scenario" is just bogus and doesnt really bring you more trust to PaloAlto products - I think the result is unfortunately the opposite, the trust to use PaloAlto devices will shrink when bypasses like this are possible (but to be fair - and this is perhaps by luck for PaloAlto - the same bypass also worked in Checkpoint (but is now fixed) among other vendors so PaloAlto is not alone (yet))). In this particular case the workaround (until proper fix from PaloAlto arrives - by the way when will it arrive?) is to limit which dns servers the clients (and servers) are allowed to use. But next time its perhaps some other AppID which is affected. Not too long ago it was AppID:web-browsing where the attacker could switch to another protocol in the middle of an already established session and web-browsing is much harder to "limit to a few IP-addresses"... ... View more

I think it would be great if the PA could have a setting to strip the icmp (echo-request/reply) contents. Today one is forced to do this through proxyfirewall using icmp-proxy. Does anyone know if there perhaps already exists a RFE to strip ICMP contents when passing through a PA device (or if this even is theoretically possible by the hardware being used)? ... View more

Another variant could be to whitelist destinations. That will of course doesnt help if the spam goes to a specific domain which already is whitelisted but still... a variant of this could be to also use geoip as dstip's (but again, wont help if the spam goes out to these you have already whitelisted). ... View more

Personally I recommend to put a proxyfirewall inline with a PA device to get the best from both worlds. The proxyfirewall, since it has dns-proxy (among others), will make sure that only dns-traffic will be let through. That is any "protocolswitching" (unless its within the protocol specifications) will be blocked by the proxyfirewall and then PA will take care of the rest (IPS-style). What worries me is that there is still not a single response from any Palo Alto representative regarding this latest finding and what PA is doing to address these (or for that matter this particular bypass)? The appid bypass last christmas rendered some changes in how PA deals with flows - but these countermeasures doesnt seem to have been enough looking at this latest bypass? If we take DNS as example the entire conversation in this example was at 9742 bytes (11.4kbytes according to some other screenshot) - is that even within specifications of how DNS is supposed to work? Also that traffic obviously flows in both ways all the time with the same session. Isnt DNS strictly a request/response protocol? That is client sends a request and gets a response back from the DNS. Next query will be a new session towards the DNS-server and so on... Im just saying that I think more could be done by PA to address these kind of bypasses (which even if appid is good overall will be used as a reason for why not be using appid - and if that happens the organisation will have a far worser protection than if appid is being used even if the appid can be bypassed). ... View more

Its often said that when using Diffie-Hellman for the sessionkey exchange the attacker must have access to the RAM contents in order to break that (well sort of 🙂 Anyone with a bit more knowledge of DH which could confirm my assumption that ssl inbound decryption wont work if the server uses DH? ... View more

Unless the bank uses a client cert (which very few does) - how would the bank be able to detect that the ssl traffic is being intercepted at the client end according to you ? Regarding the Facebook problem - verify if they only accept TLS 1.1 or newer? If so then PA might lack support to handle TLS 1.1 and newer ssl based communication. ... View more

Have you tried ? In your case: First create a NAT rule: source zone: outside destination zone: outside destination interface: none (could be set to the physical interface if you wish) source address: any destination address: outside_ip service: any (or set TCP21 along with the portrange you have defined for passive ftp preferly) source translator: none destination address: inside_ip Then create a security rule: source zone: outside source address: any destination zone: inside destination address: outside_ip application: ftp service: application-default (or set TCP21 along with the portrange you have defined for passive ftp) action: allow profile: recommended to use an IPS profile thats configured according to: critical, high, medium: block - low, information: default options: log on session end (enable log on session start for troubleshooting) You could also use a network range instead of outside_ip. For example outside_range if thats what you mean by "any outside"? ... View more

What about this one, close enough? ... View more