About mikand

Do you have ssl-termination turned on? Perhaps you need to "whitelist" the win8 appstore stuff the same way as with windowsupdate? ... View more

What if you add "all" in the end? show user ip-user-mapping all edit: Uhh, was already answered 🙂 How come one cant select vsys within the command itself, would be (at least for me) more obvious that way (like vsys <name> | all ) ... View more

You can in the ACC filter based on userid. Userid can be obtained by several methods depending on how your environment is setup: - TS-agent (citrix and such) - PAN-agent (AD, Novell eDirectory and such) - Captive portal (if no automated method is available) Check out the Knowledge Base (click on Home in the upper left in this forum and then the Knowledge Base link to the left) for more info on userid. Regarding QoS you can setup QoS profiles based on source user and/or appid. For example if you want to throttle a specific user or a specific user using youtube (or for that matter youtube no matter which user it is): QoS in PAN-OS 4.1 QoS Configuration Example ... View more

Since its not reproducable, could it be that the packet have bad checksum or something? Which with offloading would drop the packet straight away but with offloading disabled would hit the received stage (and then being discarded)? ... View more

Could using google webcache be sufficient for the users? Because if you want them to be able to traverse to the searchresult then you must enable surfing. You could perhaps setup a custom appid that will trigger on http-method: GET, HEAD, POST along with http-referer: ^http://www.google.com/ (or whatever domain google uses in your case). This appid could of course be easily bypassed by the client by sending a custom referer to fool the filter but still... ... View more

Please keep us updated 🙂 To me it sounds like this preauth packet somehow is incorrectly dropped (didnt match any allow policy). If possible, will it be dropped even if you use appid:any and service:any between the two ip addresses? ... View more

Sorry I dont know that, perhaps someone from PA can inform us? 🙂 I just wanted to highlight that mgmtplane and dataplane isnt as "separate" as one might think and that there are dependencies that in some situations (and models) would stop new sessions from being setup until the mgmtplane returns (except for the loss of logging during downtime of mgmtplane). However already setup sessions shouldnt be affected as far as I know (unless you put in some bad security policy and must revert). ... View more

Sounds like a FUD race from a competitor which doesnt like the competition from PA 🙂 Here is the response I got from "my" SE regarding a similar statement and the defcon 19 video presented by a Juniper guy: " Hi Folks, It is unfortunate that i need to send this out but i have received several questions form partners and customers now to comment on some of the messaging seen from Juniper on Application firewalling and its short comings, and we feel that we need to point out some things in the messaging that are not quite correct when applied to our technology. Otherwise we love that everyone is discussin nextgen firewalls to build the market. I provide this so you can provide your customers with good information, it also gives you a good summary on how AppID actually handles special and unusual cases. Let us know if you have any followup questions. Claim: Application firewalling does not replace the need for IPS. Absolutely true. There is no question that IPS technology is a requirement. App-ID is not intended to replace IPS or even reduce the need for it. This is the reason we have invested in building a best-in-class IPS functionality into the device. This is also why IPS is a critical piece of the next-gen firewall requirements. Claim: Application cache causes traffic to be misidentified. Not true. App-ID cache delivers performance gains without sacrificing accuracy. Application and protocol decoders validate the traffic on sessions identified using the cache, and if the validation checks fail, the cache entry is removed. The session is then switched out of the decoder and identified as unknown. Also, at short periodic intervals, new sessions are inspected by the App-ID engine regardless of the cache hit. This handles cases where the destination/port may have been reused for a different application server. We repeated the test described in their claim by populating the App-ID cache with an entry for web-browsing by sending multiple HTTP sessions on the same destination/port. The SMTP traffic in a following session on the same destination/port causes a cache hit, is inspected by the HTTP decoder, fails validation checks, is switched out of the decoder, and reported as unknown. The cache entry is invalidated as part of this and the next SMTP session will be identified as SMTP. Claim: Does not inspect both Client-to-server and Server-to-client directions of traffic. Not true. Traffic is inspected in both directions. We repeated the test described in their claim, sending an HTTP GET request followed by a FTP server response on the same session. The session is initially identified as web-browsing but switches to unknown-tcp when inspecting the FTP server response, since the traffic is neither HTTP nor FTP. Claim: Can evade Application firewall using client-server collusion by starting the connection as a permitted application and switching to another. Not a genuine or valid test. The scheme devised in the test assumes both the client and server are already under the control of the attacker. We don¹t know of any real-world clients or servers that can talk HTTP initially and then switch to SMTP. In any case, App-ID has coverage for many evasive real-world tunneling applications and we continue to add coverage for more as we discover them. Claim: Some applications can only be identified on specific ports. Partially true. The application example given was DNS. The identification scheme for DNS includes a check for port 53 since we don¹t expect any real world DNS service to be running on any other port and since DNS traffic is often very short and difficult to reliably identify by signature alone. Non-DNS traffic sent to port 53, will be validated in the DNS decoder to ensure it is really DNS. If the validation checks fail, the session is switched out of the DNS decoder and identified as unknown. Claim: Does not inspect traffic at Layer 7 when the Application can¹t be identified. Partially true. Traffic that does not match any of the applications that we have coverage for will be reported as unknown and eventually stop being scanned for threats. The best practice for dealing with unknown traffic is to deny it in security policy. Customers using an application that we don¹t currently have coverage for, can submit a request for adding coverage for it in one of our weekly content updates, or create a custom App-ID on their own. Allowing unknown applications is a risk that other firewalls or IPS products cannot prevent. " In my opinion you cant entirely rely on appid - simply because appid triggers on various behaviour and strings like a signature (which is also why appid's are updated every now and then), thats why I recommend people to never use service:any in an allow rule but at least use service:application-default unless you can specify which port(s) you want to use like service:TCP443. Meaning when you build your security rules you start to configure the PA as a regular SPI firewall (srcip, dstip, srcport, dstport), THEN you enable appid for each security rule (where needed) and perhaps userid and urlcategories (and AV, IPS, File etc) and so on. In reality you do this line by line but to explain the flow of how (at least I :P) thinks when I setup rules in a PA. In order to see how application identification works in real life you can use this simple test: Setup a rule which will allow "appid:web-browsing" (basically any HTTP based traffic) along with "service:any" (yeah I know I said you should NEVER EVER use service:any in an allow rule but this is just an example 🙂 along with a http server who listens at TCP81. When the client sends a request such as "a b c" (instead of "GET / HTTP/1.0" which is more like a true HTTP request) the packet is allowed through to the server. Not until the server replies with "HTTP ERROR 400/Bad Request" the AppID engine will know that this flow/session is supposed to be a HTTP communication but "a" is not a valid HTTP request and the response will never reach the client. Workaround for above (if you dont want the request to hit the server) is to deny "appid:unknown" but also create a custom AppID (application signature) or ThreatID (IPS signature) which demands that the "HTTP-Request-Method" should be HEAD, GET or POST (or which HTTP request methods you wish to allow). Another method (along with previously mentioned methods) is to use "service:application-default" or if possible "service:TCP80" (given that your server normally would listen to TPC80 and the stuff at TCP81 was some other service). You can also put a proxybased firewall inline with the NGFW device to further inspect the contents of the traffic (depends of course on how the proxyfirewall is being setup but still). There are some options which in combination can be a sufficient "workaround" to handle this testcase security wise. ... View more

Filtering on dstip just wont work because Google uses shitloads of ip addresses. Setup a custom url category which contains (for example) www.google.com (you might need to add a few other domains/subdomains/urls aswell) and enable ssl termination (so you can inspect encrypted https flows). 1) Then as first rule you deny stuff from Google which you dont wish to allow, such as Google Translate etc which can be used as proxy. 2) Then as second rule you allow by use the above custom url category along with appid for google search (if such exists). You could also create a custom appid for this. Dont forget to set service to application-default (or manually to TCP80, TCP443). ... View more

Could you perform a portmirror on the interface the client is connected to in order to find out whats actually happening at the client side (or install tcpdump directly on the client, dont forget the -s0 flag)? The ssl termination wont alter the files being transmitted as I know so I would guess the error is due to the client is trying to grab something over https but the PA will ssl terminate the https session and then the windows box gets sad because of this... ... View more

Appfilters is to create a custom "group" based on category, subcategory, risk or some other column. When you setup an application group you add each appid you want into this group. Also note that a flow can (today) only have a single appid. Which gives that if you have security policies to allow traffic you will only need a "deny+log" as last rule to keep this tidy. You could however use appfilter in combination with appgroup. Such as: rule1) Deny appgroup(youtube) rule2) Allow appfilter(category:video) this would allow all flows identified as "video" except youtube (which is part of video). Generally speaking when denying traffic the policy should be as broad as possible while allow traffic the policy should be as narrow as possible. As a sidenote I would recommend you to avoid using "service:any" but rather "service:default-application" to not open up more ports than necessary. Because appid detection might in some situations take a few packets before the flow is properly identified. ... View more

The FQDN in an address object (instead of IP address) will be resolved into an ip address during commit (and then refreshed every 20 minutes or so). I would recommend you to avoid using FQDN in your address objects and instead redesign your network so your lab-pc's is on the same (or a few) /24 networks (or how large you need) and then set the security policy based on iprange. Perhaps in combination with userid (either through pan-agent or by captive portal). ... View more

Not entirely true. On 2000-series the SSL MITM cert is being issued by the mgmtplane. Also userid stuff goes through the mgmtplane which gives that if mgmtplane is busy or offline (reboot mgmtplane) and the ip isnt already cached in the dataplane regarding userid then userid based security policies will never trigger until the mgmtplane returns. ... View more

I have noticed the same behaviour on 2050 and older PANOS (pre 4.1). Sometimes the bad packet was let through with a following rst which depending on browser could mean that the browser would render whatever it got so far (internet explorer did this of course 😃 Also you should verify so you have ssl termination activated otherwise the https downloads will bypass your PA's AV/IPS functions. ... View more

Enable ssl termination in the PA should handle this. Without ssl termination the PA can only look at the public info of the cert (CN and stuff) which the site sends to the client in order to guess which site this is. Perhaps your apple boxes uses TLS1.1 or newer which I think isnt (yet) compatible with PA ability to inspect the flow. ... View more