About mikand

Doesnt seem like that, not according to the PAN-OS_4.1_CLI_Reference_Guide.pdf Hopefully some SE could step in here and give a hint if this is taken care of in the PANOS 5.0 which is released shortly? ... View more

That sounds odd because what you do in the GUI as ruleset will be compiled and optimized by the mgmtplane before loaded into the dataplane when you click commit. What matters is that the execution is top-down first-match so for some reason your icmp echo request didnt match all columns. Verify that you use the proper srczone and dstzone as a start. As a troubleshoot (if possible) you can make this rule wider and then step by step narrow it down. For example start by just: srczone: X dstzone: Y appid: ping options: log on session start, log on session end then send a ping from a host in srczone to a host in dstzone and watch the trafficlog. If this matched then add srcip/dstip to your config like so: srczone: X srcip: xrange/xcidr dstzone: Y dstip: yrange/ycidr appid: ping options: log on session start, log on session end and redo the test until you have added all options needed (IPS, AV etc). Other things to verify is that you have the routing properly setup, not only on the srczone side including the PA itself but also at the dstzone so the response will be sent the proper way in return. You can also login to the PA device with ssh/cli and run the test-command to virtually construct a packet and see which rule will be hit (page 449 in PAN-OS_4.1_CLI_Reference_Guide.pdf) before you start with the manual troubleshooting of altering the ruleset above. ... View more

In order to troubleshoot one can setup the srczone/srcip/dstzone/dstip/service (which are proto/port) and then set appid to any. This should display in the traffic log how the PA identifies this traffic when you search for dstip/port, use then this appid (if it looks legit) as allowed appid for this particular rule (replace the appid:any to appid:whateverappidwasfound). Regarding Symantec NetBackup isnt "backup-exec" (which exists as appid) close to the same thing? ... View more

Another situation can be that userX is logged in but needs assistence from the support. Support logins using RDP (through SCOM or such) as userY to remotely assist userX. Now userY is the latest logged in to this device and suddently userX lost all its credentials in the network until the userX relogins. Or is this handled some way today (because one ip can only have one user if im not mistaken in the userid-db)? ... View more

Look in service route configuration so no mgmt services still try to use the mgmt interface instead of whichever dataplane interface you use instead.. The point of using a dedicated management interface is to be able to use out of band management, like if you have a dedicated mgmt-network. Also in case dataplane crashes then the mgmtplane will still function. ... View more

I belive this is valid because its these methods that malware will use to break out of the internal network in order to phone home various of stuff it can get its hand on. Compromised client: checked (usually its a matter of "when" not "if"). Compromised server: checked (just look at all botnets where most uses compromised servers to act as C&C). and suddently we have a situation where both the client AND the server is compromised and can run whatever protocol they wish (specially when you take networks such as the internet into account). ... View more

That depends on which devices are being used (PA-200 will not be able to log as many rows as PA-5060) and also what you are logging (for example if you disable logging of rows which allow web-browsing or such). I think I saw on this forum someone doing a PoC where a PA-4020 was involved and that device (if I remember correctly) started to get on its knees in the mgmtplane when it had to deal with 7000 logentries/sec. So if we take that number and assume worst case that each logentry takes a full 1500 bytes packet then you would need up to (roughly): 7000 * 1500 * 8 = 84 000 000 bit/s. Also im not sure if Panorama can "tail" the logs of a PA or if it will miss logs if there are not enough bandwidth (because with tailing you will just get latency when you watch the logs in panorama and the bandwidth between Panorama and PA hit the roof). ... View more

Im a bit uncomfortible with signatures disappearing due to the application or threat being obsolete. I totally agree if the signature is removed because it misfires (false-positives) or is taken care of by another signature (then perhaps the release notes should inform about this?) but I think its wrong when signatures are removed just because the threat might no longer be an issue. I mean one of the points of using an IPS is to protect devices which cannot protect themselfs - otherwise we wont need IPS capabilities in the network. Specially on the appliance side there are many devices which for one or another reason just cannot be updated to the latest version of the operating system or other softwares being runned on them. ... View more

Thats the proper way of handling this (create custom appid). As a workaround you can also use application override and instruct PA that traffic from srcip/range to dstip/range on a specific port lets say TCP80 should be identified as "web-browsing" instead of unknown or whatever. ... View more

A guess is so it wont turn into a loop and export the same log all the time (or for that matter if the export fails it should retry with the same startpoint). Like a pointer so it knows from where the next export should start from? ... View more

The problem is to trigger the bully vs. victim part - what is a bully text or for that matter which text will someone identify as being a victim? Just because someone in a message writes "you are an idiot" doesnt necessary means that bullying is in progress. In this case the full sentence is perhaps "Mr X said to Mr Y: -you are an idiot, sir!" which I think most people wouldnt recognise as being bully. But with that being said I think you should be able to use the DLP feature in PA set to alert mode. Create signatures which acts on facebook-chat and the other appid's you are interrested in and then create a db of words/sentences to search for. Given that you use SSL-termination in your PA and the traffic isnt encoded in some odd way you should be able to get a report from the above (with a HUGE disclaimer that this report only acts on words/sentences alone and not the meaning of words/senctences). ... View more

Im a bit curious about "2.  The vulnerability does not exist anymore"... Is PA thinking that there shouldnt be old clients out there or that the attack itself is no longer available like through metasploit etc? ... View more

So one cant use SSL-decryption for itunes and appstore traffic? Other than that I think the url-filtering will also take a look at the CN part of the cert being used so even if it cannot decrypt the traffic (like the case of windows update) it can still (sort of) figure out the url being used. ... View more