This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About mikand

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mikand
since ‎03-30-2010
L6 Presenter
User Activity
User Profile
Latest posts by mikand
View All
User Badges
Community Statistics
Member Since ‎03-30-2010 08:39 AM
Date Last Visited
Posts 1,446
Total Likes Received 496

The hunt is on - 0day for java 1.7u10

by in General Topics
‎01-10-2013 01:21 PM
2 Kudos
‎01-10-2013 01:21 PM
2 Kudos
How many hours/days will it take for: 1) Wildfire customers 2) Regular customers to get protected by a threat-db update regarding the latest 0day exploit for java 1.7u10 (and possible java 1.6u38) as descibed in: Malware don't need Coffee: 0 day 1.7u10 spotted in the Wild - Disable Java Plugin NOW ! http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ http://www.cert.se/sarbarheter/sr/sr13-006-oracle-0-day-i-java ? ... View more

Re: NAT to multiple https sites

by in General Topics
‎01-10-2013 01:18 PM
‎01-10-2013 01:18 PM
You mean someone from internet access x.x.x.x which your PA device will forward (destination NAT) to 2 or more webservers on DMZ? Not that im aware of today. ... View more

Re: PA equivalent of ASA packet tracer?

by in General Topics
‎01-10-2013 12:23 PM
‎01-10-2013 12:23 PM
Speaking of which, what about decrypted traffic? Can that be captured aswell, and if not - if filing this as a feature request, does the hardware support this in some way (or would it just be a waste of time to describe this feature request)? I guess it could be done because Wildfire can get a copy of files transmitted by ssl/https and send for analyze. ... View more

Re: Apps & Threat update link not visible

by in General Topics
‎01-08-2013 10:37 AM
‎01-08-2013 10:37 AM
If im not mistaken reboot of mgmt-plane will impact userid-based rules and on 2000-series and below also generation of certs used by SSL-termination. ... View more

Re: Using VM firewall as "offline" configuration management for ALL models of PAN devices?

by in General Topics
‎01-08-2013 10:29 AM
‎01-08-2013 10:29 AM
However shouldnt it work if you just copy the <rulebase> ... </rulebase> stuff? I mean: 1) Open the archived config in your VM and make the changes. 2) Save the config and export it (lets call it modified.xml). 3) Open modified.xml in a texteditor and copy the stuff in between <rulebase> ... </rulebase> and insert that into a copy of the archived config in 1) above. And perhaps other xml-blocks aswell (like application-groups etc). ... View more

Re: Building ISP's Network?

by in General Topics
‎01-06-2013 02:54 PM
1 Kudo
‎01-06-2013 02:54 PM
1 Kudo
I would setup a L3-interface on the PA using the link-net ip/range towards the ISP. Then decide on how you want to use the /26 (64 ips) you got from your ISP. For example divide this into 16 x /30's (or 8 x /30's + 4 x /29's) so you use one zone per type of server as various DMZ interfaces. ... View more

Re: Allow traffic to specific URL - Best practices

by in General Topics
‎01-06-2013 02:48 PM
‎01-06-2013 02:48 PM
I think the problem is that this rule is "appid:any, service:any" which gives that the url category stuff is only valid for web-based appids. Meaning if oracle and other non-web-based flows arrives they wont be checked for the url category. The proper setup of this rule should be: appid:web-browsing service:application-default (or if possible set it manually to TCP80 or whatever proto/port this server uses) url-category: allow only "www.adpweb.com.br". ... View more

Re: Static nat commit warning valid...?

by in General Topics
‎01-06-2013 02:42 PM
‎01-06-2013 02:42 PM
If im not mistaken the NAT rules are session based. Meaning "host2, snat to x.x.x.x" wont collide with "x.x.x.x dnat to host1". The good side (at least IMHO) of doing this manually for each direction is that it will be more visible whats actually going on. If you use bi-directional it will depend on in which order you wrote the nat-rules because: 1) host1, snat to x.x.x.x, bi-directional 2) host2, snat to x.x.x.x, bi-directional wont be the same result as 1) host2, snat to x.x.x.x, bi-directional 2) host1, snat to x.x.x.x, bi-directional because the above case can be extracted into: 1) host2, snat to x.x.x.x 1.5) x.x.x.x dnat to host2 (hidden) 2) host1, snat to x.x.x.x 2.5) x.x.x.x dnat to host1 (hidden) and since PA is top-down first-match any new sessions setup towards x.x.x.x will always be forwarded to host2 (until some admin some day unchecks the bidirectional checkbox and suddently host1 gets all incoming traffic (if there is a security policy that allows that). ... View more

Re: HA Active/Passive Management Design

by in General Topics
‎01-06-2013 01:41 PM
‎01-06-2013 01:41 PM
You mean ? It works for me so I guess it should work for you aswell to access that url? ... View more

Re: UDP Packet size

by in General Topics
‎01-06-2013 01:25 PM
‎01-06-2013 01:25 PM
In Device -> Setup -> Session you can also for some models enable "Jumbo Frame" and there select a jumbo frame size (MTU) of up to 9192 bytes (I guess this number is a MTU=9000 with addition of all sorts of headers the packet might have like 802.1Q and so on). ... View more

Re: Apps & Threat update link not visible

by in General Topics
‎01-06-2013 01:18 PM
‎01-06-2013 01:18 PM
Is it there if you rightclick and choose "view source"? ... View more

Re: SSH interception and server rekey

by in General Topics
‎01-06-2013 01:15 PM
2 Kudos
‎01-06-2013 01:15 PM
2 Kudos
Sound like a perfect example of when you should create a support case 🙂 ... View more

Re: HA and stateless connections...

by in General Topics
‎12-23-2012 06:39 AM
‎12-23-2012 06:39 AM
Generally speaking I think its UDP (but not all) based traffic and stuff that uses ICMP. For example even if UDP strictly speaking is stateless the layer7 applications using UDP can still contain various states like when using VoIP, TFTP, DNS etc. I mean a DNS reply shouldnt be the first packet between two hosts on specific ports, first there should have been a DNS request. ... View more

Re: HA and Device Priority

by in General Topics
‎12-23-2012 05:43 AM
1 Kudo
‎12-23-2012 05:43 AM
1 Kudo
A couple of reasons I can think of: 1) Misconfiguration due to lack of knowledge? 2) Misconfiguration due to lack of reading the manual? 3) Copy-paste monster (you copy the config of one device to make it equal on another and woops, forgets to change the prioritys). ... View more

Re: allowing MS product activation and denying web access

by in General Topics
‎12-18-2012 01:33 AM
1 Kudo
‎12-18-2012 01:33 AM
1 Kudo
There is a list available at: http://support.microsoft.com/kb/921471 one url not mentioned there seems to be: wpa.one.microsoft.com:80 dunno if the above wpa url is still valid as part of the activation or not. I guess the best would be if you could setup a local auth server for this and then just allow this particular server to reach microsoft's domains. ... View more
Register or Sign-in
Contact Me
Latest Tags
No tags yet
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks