About mikand

No, I meant replace (or reconfigure) your current http-proxy so the end result becomes: Clients - HTTP-proxy - PA - Internet The clients can then either go straight for the Internet IPs OR configure proxy-settings and go to the ip for the HTTP-proxy (depending on how you do today). The HTTP-proxy will then do its magic but compared to from how it works today the srcip of the packet will be the client-ip instead of the HTTP-proxy interface ip towards PA. The PA will do its magic regarding IPS, SSL-termination, URL-categories, AppID etc and before throwing the packet out on the Internet it will SNAT the srcip so the PA interface ip towards Internet will be used as srcip. Things to do: 1) Change (or replace) the HTTP-proxy so keepsource=yes is being used on the ip header (that is client-ip is kept on the packets leaving the HTTP-proxy towards your PA). 2) Setup SNAT in the PA device. 3) Configure a static route for the PA device so it can find its way back to the clients. Edit: 4) Disable X-Forwarded-For in your HTTP-proxy 🙂 ... View more

So what about the thing I wrote in to configure your current http-proxy to keep the srcip (instead of using X-Forwarded-For) and then do the SNAT in the PA? ... View more

Could you get a pcap of this behaviour? Sounds somewhat odd that 1) the IDS/IPS sends a NACK to block the traffic (instead of just RST or just silently drop the traffic) but also 2) that the PA on the resend sends the original packet instead of the modified one? If the 2) is verified then you should file this as a bug to PA/your SE. ... View more

True 🙂 It also seems to be related to multiple X-Forwarded-For headers in a single request: National Vulnerability Database (NVD) National Vulnerability Database (CVE-2012-3526) So either these IDS/IPSes are broken or the packets leaving your networks for Internet for some reason contains two (or more) X-Forwarded-For headers in the same request? ... View more

A really ugly workaround would be to place a transparent squid proxy between PA and Internet to clean out any unwanted headers as described in: How to use or configure High Anonymous Proxy squid 2.6 stable21 release A better approach would be to use a http-proxy which has the capability of keeping the srcip of the client when forwarding the traffic. This way no x-forwarded-for header is added and there is no need for such. I know the Farist Firewall (Färist Firewall — Tutus) has this capability but also newer versions of squid as described in (look at my post from Jan 23, 2013 11:53 AM for urls). Regarding manipulating the http stream through PA, can this cleaning be applied for the full row where the "X-Forwarded-For" exists? Or would the IDS/IPSes start to complain that the http header suddently has a blank newline? If so - what about cleaning out including the \n in the end? I dont know if the ASICs/FPGAs which PA uses has the capability of altering the headers this way. Things that might break can be http-length (but thats for the http payload isnt it so changing the http-header shouldnt affect the http-length?) and perhaps ip-lengths for each packet (or in case this occurs in a fragmented packet for some odd reason and such). I guess the best option currently is, unless you can get a Farist or a Squid as http-proxy, to file this as a feature request and if possible update this thread when you get a reply on this topic from your SE. ... View more

I might have used the wrong terminology in this case. What I mean is equal to if you think your PA (VWIRE) is like a hub. Then on this hub you have inside and outside interface - but you also connect a third host to this (which is the PA ip used for response pages). This way, even if the hub is "transparent" for the hosts on inside and outside network - both of them can address this third host (and then this third host has a firewallsetting to only speak to hosts from inside network as an example). But looking through the admin doc for PANOS 5.x this doesnt really seem to be described. A layer3 subinterface can only be configured for a layer3 interface which on its own only can be configured for a physical interface (which if you use VWIRE is already being used). Then there is VWIRE subinterface, but the docs here only seem to state that these can be used to "force route" (or whatever one could call it) traffic into various zones and vsys. Like if vlan = 123 and srcip = 10.0.0.0/8 handle this as zone "clients". I guess loopback interface is the thing which (hopefully) might be used for this. When you setup the loopback interface you can assign it to a VSYS. And since the VWIRE is part of a (the same) VSYS this should hopefully mean that this loopback interface can be reached by inside/outside who is part of this VWIRE. Create a new zone for this loopback interface (so you can setup firewall rules on which srcip's etc would be allowed to speak to this interface) and then attach the management-profile (which is configured for only "response pages"). ... View more

A workaround for the minimum pattern length (which I feel is bad - should be taken care of by the PANOS itself to extend any short patterns into whatever the hardware demands as minimum length) could be to add some wildcards before and after. Something like: .*TEXT.* <- 8 bytes in length ... View more

As already mentioned the URL filtering is based on the the contents of the actual http request. However in PA there is also a DNS-proxy feature which I think might be able to be used to sinkhole various domains, see some info in The admin guide has a better description regarding settings of the dns-proxy feature. In my opinion the best option is to use your own dns-servers (place in DMZ) and perform the sinkholing in them. ... View more

At least to try to disable the tcp-reject-non-syn, but I dunno - feels more like a longshot Would be interresting if you could setup netcat on this server to listen on this port instead of the streamin video server app and then use telnet or putty (telnet) to connect to this netcat and type some text... wait for 35 seconds and type some more... ... View more

By the way, you are using only a single box (or for that matter active/passive with functional HA along with session sync)? Im thinking if, since this is a tcp-app, you might be using an active/active setup and the session sync for some reason doesnt work then when this flow is switched to go over the other device it gets dropped because this device (PA-box) didnt have this as a valid session. A workaround for such situations is to disable the tcp-reject-non-syn in zone-protection-profile (often used in assymetric routing situations like active-active setups or if you have two independent PA-devices but routers before and after the PA-cluster which for a single session might take various nexthops):: + tcp-reject-non-syn — Reject non-SYN TCP packet for session setup global — Use global setting no — Accept non-SYN TCP. Note that allowing non-SYN TCP traffic may prevent file blocking policies from working as expected in cases where the client and/or server connection is not set after the block occurs. yes — Reject non-SYN TCP ... View more

Yeah only scanning exe, dll and scr is a bit limited. Will be more interresting the day Wildfire also supports pdf, java, flash and office-documents. And for that matter become a bit more critic of whats malware and whats benign (I somewhat disagress with PaloAlto on whats benign and whats not in terms of that what Wildfire thinks is beningn I think should be classified as malware 🙂 ... View more

Unfortunately not according to Edit: Read the comments regarding 2000-series. ... View more

What if you setup your security rule like this? app: any service: TCPxxx (or UDPxxx) This way the firewall ignores which app is being identified and only look for the port(s) being used. You can also try to check Device -> Setup -> Session Timeouts and if you change the UDP timeout from 30 to lets say 60 see if your dropped sessions ends after 60 seconds instead of 30? However the session timeouts are basically for idle time so for some reason it seems that your application sends data and then stops (or get stopped) which then the session timeout kicks in to kill the session (if the sessions gets dropped after 60 seconds instead of 30 seconds if you change the above default value). ... View more

I guess you agree with me that Wildfire conclusion of what is benign and what is malware is a bit off? Could perhaps someone from PaloAlto put some light on this matter? ... View more

As I understand thats not entirely true. The dependencies are only open for the amount of packets needed in order to detect the main application. For example where you previously was forced to have both appx and web-browsing open forever you now only add appx and the web-browsing will only be allowed for the amount of packets needed to detect appx, if appx is not detected after this amount then the web-browsing session is denied. ... View more