About mikand

On the other hand it seems like PANOS 5.0 is the main branch now and stuff is being backported to 4.1 and 4.0 later on. Take this appid cache pollution thingy from the christmas holidays. Fix for PANOS 5.0 came first, I dont know if the fix is out yet for 4.1 and 4.0... ... View more

Yes but the fixes committed in 4.1 are committed into 5.0 aswell, arent they? ... View more

Not entirely true (regarding the not the first hour)... the point of wildfire is not to protect but to detect 0days. This gives that in order to protect the client you will completely block downloads of exe (as example). But in case you want the client to download exe files (which might be bad) you now shrink the detection time of 1-4 weeks (compared to AV signatures downloaded to your PA device or for that matter any AV solution) down to less than 1 hour in case this bad file was detected elsewhere. And less than a few minutes in case this bad file was detected by your own equipment. I think at the same time its vital to get this difference when using wildfire that wildfire wont download, buffer, scan and then let the file through. The file will hit the client as without wildfire but now you will at least get a report that this file was bad. As a feature request one could ask for ICAP support. This way you could do the download, buffer, scan and then let through. The downside is that the mgmtplane will be involved even more with the problems that buffered scans gives you in terms of max file size to scan but also that the client will get a "loading..." page instead of the file itself until its fully scanned (or in terms of PA analyzed by sandbox) and that the buffered scan isnt possible for all protocols (on the other hand buffered scan can be applied for all filetypes compared to PA's streambased scan which only works for a few filetypes). So in short you should see the wildfire service as an improvement from the regular 1-4 weeks for detection down to max 1 hour (or even minutes if found by your own equipment). And if further security is needed you should consider to completely block clients from downloading stuff from the internet (like exe-files etc) or file a feature request of ICAP support (to cover the buffered scan stuff). Another drawback of current wildfire is that any signed executable wont be scanned. This, I have been told, will be fixed in upcoming versions so you can decide on your own which signatures you wish to trust. Specially when Realtek certs and Digicert certs are out in the wild to sign malware. ... View more

essilorbr: Thanks for the followup! *mumbles something about PaloAlto and the quality assurance team* ... View more

Thanks! 🙂 However this is not driver related but hardware related. From your answer it means that intel ethernet controllers are being used but in this case no PA-device is affected (im thinking not only the firewalls itselfs but also the panorama appliance and the other existing or upcoming applianceboxes)? ... View more

Speaking of which... how come? I mean since PANOS 5.0 obviously is released as production code and not beta or something? Sure you will run into new bugs, but at least you will hopefully not run into old bugs like if you would stay with 4.1.5 or such. ... View more

Also which PANOS version is used? The PA-2000 series have some issues with mgmtplane which compared to PA-3000 series is much slower which of course could bring you a higher cpu usage. As long as this doesnt reach 100% you should be safe. There have also been some issues addressed regarding mgmtplane and performance in the later releases of 4.1 and 5.0 series. ... View more

Verify that you in the settings for the interface facing the clients have enabled "userid". ... View more

So ehm noone who knows if and if so which models of PA devices uses Intel 82574L ethernet controllers - and are they affected by the "packet of death"? ... View more

Do you use a dedicated pan-agent server or do you use the new builtin pan-agent feature of panos 5.x ? ... View more

Wildfire currently only test .exe, .scr and .dll (I think) - hopefully it will support pdf, office-documents and android/java stuff later this year. As far as I know it doesnt test .pif and other similar types. Also wildfire wont scan and then let your file through - the bad file will hit the client (unless the AV/IDP rule didnt set off) but with wildfire you will at least get a report that a file that the client downloaded a few minutes ago was bad. If the antivirus on the client didnt trigger you now know you have a client that should be reinstalled from scratch (like ghost image or such). I added two more filetypes which I think should be blocked or filtered... ... View more

However an account is needed to perform user-id lookups (those userid's which are bound to your AD). ... View more