This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About mikand

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mikand
since ‎03-30-2010
L6 Presenter
User Activity
User Profile
Latest posts by mikand
View All
User Badges
Community Statistics
Member Since ‎03-30-2010 08:39 AM
Date Last Visited
Posts 1,446
Total Likes Received 496

Re: URL FILTER QUESTION

by in General Topics
‎10-04-2012 10:52 AM
‎10-04-2012 10:52 AM
Just guessing but could it be because you wrote it as "play.typeracer.com/*" instead of just "play.typeracer.com" ? ... View more

Re: POC Plan

by in General Topics
‎10-04-2012 02:49 AM
‎10-04-2012 02:49 AM
Perhaps Fortinet can do this today - not when I evaluated them autumn 2009 and explictly asked them about their scanning capabilities. And according to your reply it seems that they still have issues regarding this (not able to scan zip files? they could do this back in 2009 - or is this an option if you want streambased or bufferbased today?). Anyway this was to point out that it isnt as simple as "Antivirus? Yes!" because it drills down to how the antivirus scanning is being performed and which limits it might offer based on which major technology is being used (streamed vs buffered). Also I dont get your lines in the "PA benefit over Fortinet and Sonicwall", do you mean that the PA doesnt provide user feedback (because they do but of course it depends on which protocol is being used) or do you mean that Fortinet and Sonicwall doesnt provide user feedback? 🙂 ... View more

Re: Could PA show the email content/mail body?

by in General Topics
‎10-04-2012 01:20 AM
1 Kudo
‎10-04-2012 01:20 AM
1 Kudo
I doubt it can do this today because PA doesnt buffer emails and such. When dealing with DLP you act on a stream but each packet is (often) not more than 1500 bytes. So when the DLP triggers most likely only the packet (or few packets before that) are still in the memory and can be dumped to the log. Personally I would combine DLP with proxyservers to achive what you want. In your case a MTA such as Ironport (or whatever you like) placed in DMZ. For example a setup like: 1) Traffic inside -> DMZ, alert DLP. 2) DMZ-server, take full dump when signatures triggers. 3) Traffic DMZ -> outside, block DLP. There is a pcap feature you can attach to signatures (which might help you identify a specific email) but the built in pcap will only save first 100 bytes of each packet (if im not mistaken) and also you might end up in situations where the mailheader is long gone when the DLP triggers. Like assume someone sends a 25MB email and the DLP signature triggers at the last packet (the last packet had the keyword you were searching for) - then only the last few kilobytes will be in the pcap file (and not the whole 25MB unless something changed recently). Also by hotmail do you mean someone using IMAP/SMTP/POP3 or using webbrowser? Otherwise if its IMAP/SMTP/POP3 I can agree with you it would be a nice feature if the PA could log the mailheader (optional) when creating for example a DLP signature acting on mailtraffic. ... View more

Re: POC Plan

by in General Topics
‎10-04-2012 01:06 AM
1 Kudo
‎10-04-2012 01:06 AM
1 Kudo
Or by plan do you mean things to test which the PA can do and the others might fail at? I hope your sales engineer should be able to give you such a list. There is a (by now somewhat old) document crated by PA in response to Checkpoints various claims of what PA does or do not. This doc will give you some hints on what to verify which at least Checkpoint cannot handle. There is also the "techbusters" episodes which might bring you some ideas: http://media.paloaltonetworks.com/documents/TechBusters-Episode-1.pdf http://media.paloaltonetworks.com/documents/TechBusters-Episode-2.pdf http://media.paloaltonetworks.com/documents/TechBusters-Episode-3.pdf http://media.paloaltonetworks.com/documents/TechBusters-Episode-4.pdf http://media.paloaltonetworks.com/documents/TechBusters-Episode-5.pdf Palo Alto Networks — TechBusters: Check Point Myths Busted! I dont know how Sonicwall handles this but I know that Fortinet, at least previously, could only do buffered antivirus scanning. Meaning the whole file must be downloaded first before the scan can proceed. This also meant that various models hade various limits on how large files (and how many concurrent large files) they could scan. PA uses streambased scanning which means virtually no upper limit on how large the files which will be scanned can be - but on the other hand not all fileformats can be scanned this way. Edit: I forgot about Wildfire. Hopefully in future Wildfire will be available as a local installation (so your sensitive stuff isnt sent to the cloud on internet (currently Amazon) but stays in your datacenter) and by that Wildfire will hopefully be able to deal with antivirusscanning aswell (and not only analyze runnable code). Another hope is when or if PA will support ICAP because then you can get one (or two) ICAP servers running your choice of antivirus (no matter if its Kaspersky or something else) and by that cover the buffer based scanning. ... View more

Re: Is there a way to automate reporting of "auth-fail" system log messages?

by in General Topics
‎10-04-2012 12:57 AM
‎10-04-2012 12:57 AM
Speaking of auth-fail (and auth-success), is it me or doesnt PA log which account name was fail/success along with client ip who attempted this? I have already filed this to my support (among some other CEF related questions) but I was thinking if someone in here already have been digging into this? ... View more

Re: How to detect DNS TXT messages

by in General Topics
‎10-03-2012 01:43 AM
‎10-03-2012 01:43 AM
However you should be able to contact local support (the company you bought the PA stuff from) or your sales engineer at PA to get assisted. ... View more

Re: How to detect DNS TXT messages

by in General Topics
‎10-03-2012 12:53 AM
‎10-03-2012 12:53 AM
I think Parth meant since there is a signature regarding DNS TXT you should be able to create a custom one aswell. ... View more

Re: Cannot create rules based on users

by in General Topics
‎10-03-2012 12:30 AM
1 Kudo
‎10-03-2012 12:30 AM
1 Kudo
You need to setup the LDAP aswell for the configuration to be able to see which users and groups you have. ... View more

Re: Virtual Routers

by in General Topics
‎10-02-2012 10:55 PM
1 Kudo
‎10-02-2012 10:55 PM
1 Kudo
Unless I missunderstood something here is the topology: Your public network: 71.100.100.192/27 Your linknet: 71.100.100.48/30 (your ip:71.100.100.50, your ISP ip: 71.100.100.49) Since your ISP have 71.100.100.192/27 nexthop 71.100.100.50 you setup a layer3 interface on your PA which have: zone: untrusted 71.100.100.50 255.255.255.252 default gw: 71.100.100.49 Then you just either place the whole 71.100.100.192/27 in zone dmz or you divide it into chunks (or for that matter use a RFC1918 range in your DMZ and NAT all traffic going to your dmz and trust zone). Option1: zone: untrusted 71.100.100.50 255.255.255.252 default gw: 71.100.100.49 zone: dmz 71.100.100.193 255.255.255.224 zone: trusted 172.20.1.1 255.255.255.0 (dont know how large subnet you got, just an example) Range use for NAT (like SNAT trusted -> untrusted): 71.100.100.50/32 Option2: zone: untrusted 71.100.100.50 255.255.255.252 default gw: 71.100.100.49 zone: dmz 71.100.100.193 255.255.255.240 (I cut the previous range in half, first half goes to dmz and second goes for nat) zone: trusted 172.20.1.1 255.255.255.0 (dont know how large subnet you got, just an example) Range use for NAT (like SNAT trusted -> untrusted): 71.100.100.208/28 Option3: zone: untrusted 71.100.100.50 255.255.255.252 default gw: 71.100.100.49 zone: dmz 10.0.0.1 255.255.255.0 (using a RFC1918 range of choice, /24 in this example) zone: trusted 172.20.1.1 255.255.255.0 (dont know how large subnet you got, just an example) Range use for NAT (like SNAT trusted -> untrusted): 71.100.100.192/27 ... View more

Difference between gtalk and google-talk?

by in General Topics
‎10-02-2012 09:19 PM
‎10-02-2012 09:19 PM
In todays content update one can read: " Modified Decoders (6)       Name       gtalk-p2p       ipsec-esp-udp       jabber       ssl       google-talk       oracle " How come gtalk-p2p isnt named google-talk-p2p or is gtalk something else? Yeah I know this is a decoder which is not browsable (and therefor not found in Application Research Center ) but still... ... View more
Labels:

Re: Aggregate Ethernet interface: LACP and PaGP support

by in General Topics
‎10-02-2012 03:12 AM
1 Kudo
‎10-02-2012 03:12 AM
1 Kudo
I guess I can answer 2 above for myself :smileysilly: https://live.paloaltonetworks.com/docs/DOC-3594 " Sessions originating from the firewall will be sent through the links using a round-robin method. " So far so good, like src-dst-port if compare to cisco. " Device sending traffic to the firewall via the aggregated link also needs to be configured for load balancing. " Now what? Will the PA drop the traffic if the packet is sent on int1 PA->switch but the reply arrives at int2 switch->PA? This also mean that if using cisco one MUST configure it to use src-dst-port as loadbalance method where the default src-dst-mac wont work at all (given that the PA will drop packets that returns at a different interface than it was sent on given that both interfaces are part of the same aggregated interface)? ... View more

Re: Aggregate Ethernet interface: LACP and PaGP support

by in General Topics
‎10-02-2012 03:09 AM
1 Kudo
‎10-02-2012 03:09 AM
1 Kudo
1) Also even if PA link aggregation is static, how does this blend with equipment that doesnt understand link aggregation? Will there be a loop or is PA using TLB (transmission load balancing)? 2) As followup for above question, how does PA deal with when the switch can loadbalance on src-dst-ip (which a cisco can be put into with "port-channel load-balance src-dst-ip", or for that matter src-dst-port)? Meaning packet PA -> switch goes over one physical link while switch -> PA goes over a different physical link (but part of the same aggregated interface in the PA configuration). Or for that matter, how does the PA "loadbalance" between the physical interfaces which are part of the aggregated interface? 3) Speaking of link aggregation a far worse "feature" is that aggregated interfaces currently doesnt support QoS in PA. So if you need QoS and aggregated interfaces at the same time (like for performance reasons) then you are screwed... The good part is that (according to latest info from my sales engineer so this might change in future) this is said to be fixed hopefully in PANOS 5.1 - the bad part is that 5.1 is currently estimated not sooner than summer 2013... ... View more

Using variable for PANOS version when using CEF (Arcsight)?

by in General Topics
‎10-02-2012 12:20 AM
‎10-02-2012 12:20 AM
According to https://live.paloaltonetworks.com/docs/DOC-2835 the (current) certified formats for use with CEF is: Traffic CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno Threat CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action msg=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext=$contenttype Config CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $result|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path externalId=$seqno System CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $eventid|$type $eventid|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$fmt externalId=$seqno HIP Match CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $hip|$type $hiptype|1|rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt externalId=$seqno A drawback with the above is that the software version field is hardcoded into 4.1.0. Which means that each time the PANOS is updated the technician must update the CEF strings (which will most likely fail once in a while). Is there a reason for why there is no $version available or is it possible that such can show up if I file this as a feature request towards my sales engineer (or did I just miss which variable to use)? ... View more
Labels:

Re: Renaming a VSYS

by in General Topics
‎10-01-2012 01:10 PM
1 Kudo
‎10-01-2012 01:10 PM
1 Kudo
"What could possibly go wrong" - famous last words? 😉 Personally I would do this in a service window along with taking an offline backup of running-config.xml before the change... JUST IN CASE Better safe than sorry... ... View more

Re: Decryption

by in General Topics
‎10-01-2012 12:45 PM
‎10-01-2012 12:45 PM
Didnt some appid's look in the CN part of the certs being used (or was it the url-filtering that did this?) so the PA could somewhat inspect ssl traffic even if there is no ssl termination (decryption) setup? ... View more
Register or Sign-in
Contact Me
Latest Tags
No tags yet
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks