About mikand

I can only agree with you - importing a current configuration should be a nobrainer for a mgmttool such as the Panorama. *keeps fingers crossed that this will arrive in Panorama 6.0* ... View more

Well first of all, did you really verify that this actually was a false positive? If so you could save a recording of the traffic and send to PA so they could update this threatid. Besides this there is little you can do if you encounter a false positive, either you let this id be active (and analyze each alarm) or you disable this id. Note that you can choose to disable this id either globally or for a specific flow - in your case if you just want to ignore this alarm you can set it to "allow" for the particular flow (so in case this shows up on some of your other webservers you will still get an alarm). Also the action can be allow, block or alert. Allow is pretty obvious, block means drop the session AND log while alert means allow the session AND log (while allow means no logging at all). ... View more

Does the builtin DHCP in PA support logging of option82 information? Because then the log in PA would be complete with information on where the client is physically connected to the network (given that you in your access-switches also use ip-source verify and such to block spoofing clients). ... View more

Depends on what you mean by your question. With a regular threat-license the threat-db is updated once a day on weekdays (that is no updates on weekends or holidays). This threat-db also contains the findings through wildfire but are delayed 24-48 hours. Because thats what you basically pay for with the wildfire license - the ability to faster get the findings (once an hours instead of once a day with a delay of 24-48 hours). ... View more

Would still be nice if one could at least have view capabilities into those threads even if you are not participating in the beta. ... View more

Looks like this has been overseen by PA and you should contact your SE to get this fixed (most likely through a feature request). The CLI docs for ping says: > bypass-routing — Sends the ping request directly to the host on a direct attached network, bypassing usual routing table > count — Specifies the number of ping requests to be sent (1-2,000,000,000) > do-not-fragment — Prevents packet fragmentation by use of the do-not-fragment bit in the packet’s IP header > inet6 — Specifies that the ping packets will use IP version 6 > interval — Specifies how often the ping packets are sent (0 to 2000000000 seconds) > no-resolve — Provides IP address only without resolving to hostnames > pattern — Specifies a custom string to include in the ping request (you can specify up to 12 padding bytes to fill out the packet that is sent as an aid in diagnosing data-dependent problems) > size — Specifies the size of the ping packets (0-65468 bytes) > source — Specifies the source IP address for the ping command > tos — Specifies the type of service (TOS) treatment for the packets by way of the TOS bit for the IP header in the ping packet (1-255) > ttl — Specifies the time-to-live (TTL) value for the ping packet (IPv6 hop-limit value) (0-255 hops) > verbose — Requests complete details of the ping request. * host — Specifies the host name or IP address of the remote host ... View more

Why on earth is "Show all signatures" disabled by default? ... View more

So any news yet on PA-7000, PANOS 6.0, Panorama 6.0, Wildfire able to inspect dll, ms office, pdf and java files incl android stuff and other wishful thinking? 🙂 ... View more

Cant you do this today? I mean create a security rule last that will match if none of the known good categories has been hit - this will use a continue page to inform your client that the page they are visiting is not yet indexed by your url-category engine and the user should be careful with which files are being downloaded or what info is being written in any input boxes and so on? ... View more

To summarize my findings regarding EDNS: If you are using BIND then add one of these values to your BIND config: max-udp-size 1460; edns-udp-size 1460; or max-udp-size 1280; edns-udp-size 1280; whatever floats your boat. According to http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/ddns.html one could say that: - Old standard: max 512 bytes for UDP (DNS). - New standard: max 4096 bytes for UDP (DNS). - Microsoft standard: max 1280 bytes for UDP (DNS). where 1280 seems to be connected to that 1280 is the smallest allowed MTU for IPv6 networks. References: http://tools.ietf.org/html/draft-andrews-dnsext-udp-fragmentation-01 " If the IPv6 stack does not support IPV6_USE_MIN_MTU, then steps should be taken to prevent PMTUD occuring.  These include, but are not limited to, setting the MTU of the interface the packets are being sent over to the minimum IPv6 MTU (1280 bytes), or restricing DNS/UDP packets to no more than 1280 bytes including IPv6 headers. " http://www.ietf.org/rfc/rfc2671.txt " 4.5.1. Note that a 512-octet UDP payload requires a 576-octet IP reassembly buffer.  Choosing 1280 on an Ethernet connected requestor would be reasonable.  The consequence of choosing too large a value may be an ICMP message from an intermediate gateway, or even a silent drop of the response message. " http://tools.ietf.org/html/draft-ietf-dnsind-udp-size-02 " 1280 bytes of DNS data is chosen as the new default to provide a generous allowance for IP headers and still be within the highly prevalent approximately Ethernet size or larger MTU and buffering generally available today. An IPv6 server should enable fragmentation on UDP replies.  While fragmentation will not be frequent if the above guidelines are followed, it may occur on occasion. In principle, IPv6 headers and options could be huge, resulting in a very large UDP packet even though the DNS payload is limited, but this should not occur in practice. " Way to test if you are affected of any EDNS bugs in your infrastructure: >dig +short rs.dns-oarc.net txt and then check the logs of your firewalls etc. ... View more

To summarize my findings regarding EDNS: If you are using BIND then add one of these values to your BIND config: max-udp-size 1460; edns-udp-size 1460; or max-udp-size 1280; edns-udp-size 1280; whatever floats your boat. According to http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/ddns.html one could say that: - Old standard: max 512 bytes for UDP (DNS). - New standard: max 4096 bytes for UDP (DNS). - Microsoft standard: max 1280 bytes for UDP (DNS). where 1280 seems to be connected to that 1280 is the smallest allowed MTU for IPv6 networks. References: http://tools.ietf.org/html/draft-andrews-dnsext-udp-fragmentation-01 " If the IPv6 stack does not support IPV6_USE_MIN_MTU, then steps should be taken to prevent PMTUD occuring.  These include, but are not limited to, setting the MTU of the interface the packets are being sent over to the minimum IPv6 MTU (1280 bytes), or restricing DNS/UDP packets to no more than 1280 bytes including IPv6 headers. " http://www.ietf.org/rfc/rfc2671.txt " 4.5.1. Note that a 512-octet UDP payload requires a 576-octet IP reassembly buffer.  Choosing 1280 on an Ethernet connected requestor would be reasonable.  The consequence of choosing too large a value may be an ICMP message from an intermediate gateway, or even a silent drop of the response message. " http://tools.ietf.org/html/draft-ietf-dnsind-udp-size-02 " 1280 bytes of DNS data is chosen as the new default to provide a generous allowance for IP headers and still be within the highly prevalent approximately Ethernet size or larger MTU and buffering generally available today. An IPv6 server should enable fragmentation on UDP replies.  While fragmentation will not be frequent if the above guidelines are followed, it may occur on occasion. In principle, IPv6 headers and options could be huge, resulting in a very large UDP packet even though the DNS payload is limited, but this should not occur in practice. " Way to test if you are affected of any EDNS bugs in your infrastructure: >dig +short rs.dns-oarc.net txt and then check the logs of your firewalls etc. ... View more

Sounds like a great idea to fire as a feature request through your local SE. That is to add a report type that can compare with previous report and only display the differences. This way you could for example start with the regular report on monday (along with a difference report comparing with previous monday) and then just check the difference report the other days of that week (comparing with monday from the same week) as an example. ... View more

Does "I have a pending chat with my coworker" actually mean that you will yell at your coworker? :smileysilly: ... View more

Note however that this mean that all dropbox traffic will bypass without being inspected nor logged which will introduce a huge security hole in your infrastructure. If im not mistaken you could use the webclient instead (that is through webbrowser) and having your PA device inspecting the traffic securely (including threats, DLP, logging etc). ... View more