About mikand

I guess DHCP is handy if you have more than one admin client, on the other hand using fixed ip's makes it slightly harder for an attacker (with dhcp you can just plugin any device, with fixed ip you need to know which network is being used). ... View more

Then it should work if you only specify which categories you wish to allow - sites/ipaddresses not part of this whitelist will then be blocked and you get the effect you seem to be asking for. ... View more

Yes it can evaluate the X-Forwarded-For header however the value of XFF will be in the source user column in the logs. And currently if you choose to clean out the XFF header it will probably get a hit in misconfigured IPSes (because the header isnt properly cleaned out, just nulled that is the line with XFF will currently show "X-Forwarded-For:" - just the ip/hostname part will be removed). Also XFF seems to be non-standard-RFC. Se this for more information: ... View more

A workaround (sort of) for this is when you create your custom app you can also choose "parent app" (page 227 in admin guide panos 5.0): " Parent App Specify a parent application for this application. This setting applies when a session matches both the parent and the custom applications; however, the custom application is reported because it is more specific. " This way you can "copy" the matching in the "original" (parent) app and add the more specific stuff on your own. For example if you only wish to allow HEAD, GET, POST as http-methods you can create a custom app, choose "web-browsing" as parent app and then add your custom signature that http-method HEAD, GET or POST must match. Then use this custom app to allow http traffic instead of the original "web-browsing". One drawback is this is highly dependent on that the parent app must be detected first. Which means you need to do the same thing again for other http-based apps if you want them to be limited to only use HEAD, GET or POST as http-methods (like create one for facebook, one for linkedin, one for youtube etc). Perhaps PA could enlighten us if there is a pending feature request of be able to select multiple parentapps at once (or an application group) to make the life of the admin easier when it comes to custom apps which depends on already existing apps? ... View more

According to release notes for PANOS 5.0: Link Aggregation – The PA-500 and PA-2000 Series devices now support link aggregation. Note that link aggregation on virtual wire interfaces is not supported on the PA-2000 Series due to a hardware limitation. By assigning common ingress and common egress zones, two or more virtual wires may still be used on the PA-2000 Series in environments where adjacent devices are performing link aggregation. Which means: 1) Setup 2 zones (internal and external or whatever you choose to call it). 2) Enable VWire so int1+2 is internal and int3+4 is external (or whatever combo you like) - that is VWire1 is int1+3 (internal/external) and VWire2 is int2+4 (internal/external). 3) On the devices before/after the PA box setup etherchannel and connect this through the PA device (that is for example int1+2 on device1 will form etherchannel with int1+2 on device2 - then connect device1_int1 to PA_int1, device1_int2 to PA_int2, device2_int1 to PA_int3, device2_int2 to PA_int4 (or whatever interfaces you setup for this)). 4) Dont forget to configure which VLANs you allow through this VWIRE. This way the PA will not be part of the linkaggregation itself but more like if you would connect a hub between device1 and device2 interfaces (that is one hub for deviceX_int1 and another hub for deviceX_int2). ... View more

PA has already today a farily high hitrate (according to NSS Labs) of various obfuscation techniques and other methods to bypass IPS functionality - however new applications and protocols will continue to develop and so will the techniques to bypass IPSes. And as long as PA continue to fix and update their software PA will continue to be among the TOP 5 or so in both NGFW and IPS field. However as with all configuration some of the bypass possibilities is due to how the firewall is actually being setup. For example if you want to allow your clients to visit http sites which isnt categorized yet? First thing to remember is that application identification (which is somewhat the main reason most chooses to PA I would assume) isnt foolproof and will on its own, depending on application, let one or more packets through before the appid is sucessfully identified. Thats why you should use "application-default" as service unless you can specifiy the port or portrange to use. Along with fighting to identify bad stuff on the network and identify the good stuff there is also a fight of not having falsepositives. One example is if you transfer a file using ftp containing a http-header. In this case this transmission should be identified as ftp and not suddently a http request. However if you are in control of the ftp server you can probably make some cleartext tunneling this way, until PA finds out about this and are able to create an IPS signature for this (or even better an appid signature, either by text or by behaviour/heuristic (similar to how bittorrent, skype etc is identified)). But to sum it up of historical cases: 2.1 Obfuscation: Look at the appid cache pollution case from last xmas, or similar stuff last autumn (www.what2code.net has a description that affected not only PA but also Checkpoint and Fortigate). The xmas thing was fixed in: 5.0.2 15 Jan 13 4.1.11 06 Feb 13 4.0.14 12 Feb 13 2.2 Encryption and tunneling The tunneling part I would say is similar to 2.1. The encryption stuff depends on the configuration of your PA box - if you have ssl decryption enabled or not (and for that matter which url categories do you choose to not decrypt and also if you will allow traffic that cannot be decrypted or not). If we take Sourcefire as example you need to invest into additional hardware to be able to perform SSL-decryption, this is built in and included with the PA box. 2.3 Fragmentation NSS Labs found in 2011 a split TCP-handshake method to bypass the IPS in PA. Was fixed in 4.0.2 and 3.1.9 (5.0 didnt exist at that time): https://www.nsslabs.com/research/network-security/firewall-ngfw/network-firewall-group-test-q2-2011.html 2.4 Protocol violations Again similar to 2.1. One example is how *nix vs windows interprets various packets. If im not mistaken *nix identifies the first packets while windows chooses to go by what the last packets says (or if it was the other way around :smileysilly:). I think this is also highly dependent on which appid's you chooses to allow which I also think is a major component when using PA as IPS because the IPS can interact with the AppID (compared to the workflow in lets say Checkpoint and other products). Again, AppID isnt foolproof but that doesnt mean you should ignore it. Properly setup a PA (with all its features enabled) will be able to better allow the good stuff and block the bad stuff compared to other vendors in my experience. There is also other features that in some way could be involved in the IPS work (or more as a IDS) and that is Wildfire. This will become more interresting when the appliance boxes will be released along with capabilities of not only scan and run PE-files (.exe, .dll and .scr) but also Java, Flash, PDF and Office-documents. Another aspect to this except risk of falsepositives is also performance. Its not fun if you have 10Gbit/s boxes and they can only let through 400Mbit/s or so (or even worser than that) as with some vendors. This doesnt mean that a 10Gbit/s box from PA always has a throughput of 10Gbit/s but generally speaking it seems that the PA hardware design has a higher throughput than many competitors specially when enabling most of the features (most vendors can match their numbers in the datasheets when you have only one "any, any allow" rule at top of your ruleset and all other features, such as IPS, disabled - but when you start to enable stuff like IPS, SSL-termination, AppID etc the performances often drops way below the numbers mentioned in the datasheets). Notes regarding the report: According to page 26 they use "default" profile for the IPS in PA. More correct would be to set it up as: Critical: Block High: Block Medium: Block Low: Default Informational: Default This is what NSS Labs did when they went from 56.4% hitrate (default) to 93.4% hitrate (as above "tuned"). They also only had a "any, any allow" rule (and only blocked by "default" in the IPS setting) - meaning no interaction with appid in this case (which probably could block one or more of the evasion techniques on its own). Apart from the above I do hope some PA people will read the report and implement fixes to handle the evasion techniques described in this report. But also, as the report states, using IPS isnt foolproof. What you need to do is to have as narrow hole for the good traffic as possible and as broad detection of the bad traffic. But also take into account, what if bad stuff will hit the client? Sometimes corporations chooses to use two webbrowsers (like google chrome for internet and internet explorer or something else for internal use) but since no matter which technique you use to protect yourself approx 5% bad stuff will still be able to bypass and hit the browser I think you should decide that if you do have sensitive data on your internal networks - perhaps those clients shouldnt be able to browse the internet at all? Or at least use a terminalserver solution so if the bad stuff hits the browser then its the terminalserver that gets infected and not the client itself. And dont forget other attackvectors such as email (both incoming but also outgoing as method of communication for malwares) and the (by now) infamous usb-drives (stuxnet anyone? ). Regarding email one solution can be to allow incoming email but not outgoing. In order to send an you email you must connect to a terminalserver setup from where you can send your emails. This way the bad stuff can get into your network - but hopefully never leave... ... View more

I think you can do this yourself with a custom url filter. Otherwise the "proper" solution is to create a custom blacklist rule in front of the other rules (maybe put a whitelist rule in front of the blacklist one :smileysilly:) where you block bad dstip's. PANDB should be able to be more granular than the Brightcloud db, but I dunno if the PANDB includes ip addresses as "hostnames" or not - parhaps someone from PA (who is lurking this forum) could answer that? ... View more

Did you contact support@ yet regarding this? Because if you dont see anything odd in the headers (both from the file PA sends you and the file the server sends you) then we can rule that part out. ... View more

I guess you use the proper syntax for snmpwalk and you have put the MIBs in correct path? http://www.net-snmp.org/wiki/index.php/TUT:Using_and_loading_MIBS ... View more

Another workaround might be to enable syslog for TRAFFIC logs (and/or THREATS aswell, and while you are at it CONFIG and SYSTEM too :smileysilly:) - this way you will have the logs in csv format at your syslog server (PA default mode for syslogging is in csv format). ... View more

Last time I reported a site issue it took one or two days to get a reply back from the webmaster: Web Feedback webmaster@paloaltonetworks.com ... View more