About mikand

Just to verify that you by "security profiles" doesnt mean "security rules"? ... View more

Please send me a PM (or even better put it online in this thread 🙂 in case somebody has already created such IDS signature for PA. That is images containing EXIF data (or more specific containing geolocation EXIF data). ... View more

How much did the box who didnt like to sync to NTP differ from realtime? If im not incorrect the NTP process usually refuse to sync the time if it differes more than 2 hours or something like that. To fix this you must first manually set the clock somewhat close to realtime and then start the NTP process (or make sure that ntpdate is being used during boot to set the clock "hard" before the ntpd client starts). ... View more

A possible workaround might be to use a dedicated set of PA hardware as IDS, for example connected through a passive fibertap (to not interfere with the traffic incase the PA device needs to reboot or loses power). And then in this dedicated PA you setup the monitoring rules along with logging, reports etc. ... View more

Would this be valid for the whole range from PA-200 to PA-5000 or just specific models? Like will PA-2000 and PA-4000 be exluded? ... View more

DHCP Snooping and DCHP Relay is the way to go. And while you are at it check up for the possibility to use private (or at least protected) vlans aswell. Configuring the DHCP features of the switch should also end up with configuring DAI, IP Source Guard and Option82 for traceability. Many switch vendors also have extra logging available to log when a rogue dhcp server is detected in the network (that is when you have already configured dchp snooping and dhcp relay which points out which the valid dhcp servers are). ... View more

In which PANOS did this show up and why isnt the syslog integration document updated with this field if its wellknown within PA? ... View more

Or even better: - Why dont you install Google Chrome? 🙂 ... View more

Of course you should filter these clients aswell but one reason (to use a dedicated firewall for these clients that is) is to avoid a DDoS situation (from an infected client connected to this guest network). ... View more

I wonder if this really is true? Looking at the slides for how packets are being processed by PA the first check is to look at ip and ports. If there are no security rules matching this criteria the packet is imediately dropped. That is if you for example only has a single allow rule "app: web-browsing" with "service: application-default" and application-default for web-browsing would mean (example) TCP80 and TCP8080. Then if a packet arrives to the PA matching this rule (regarding incoming/outgoing zone) this packet will be dropped (assuming your rules is to allow traffic with a last rule to drop anything else) UNLESS the dstport was TCP80 or TCP8080 (in this particular example). That is having a last rule which block and log through "any any deny". Now the 3-way handshake is performed and depending on application PA could drop the first packet AFTER the handshake is performed or it will take a few more packets before PA knows what appid it is (depending on which appid you wish to allow/block). However as your test points out there is a last hidden rule (well rules) that for example will allow intrazone traffic etc. As a best practice I always recommend admins to ALWAYS put a last (manual) rule in order to block (and log) "any any deny". The default (hidden) last rules is probably what causes the PA to somewhat incorrectly (or at least undesired) allow traffic through which shouldnt be allowed through (and is taken care of if you setup a manual last rule to block and log). ... View more

Today your option is to setup dual-logging at each PA-device. That is it has one feed towards Panorama and one feed towards your syslog/SIEM. This syslog-feed can also be manually setup in case you only care for a few "columns", or for that matter using CEF format if your SIEM supports that format. Tomorrow hopefully Feature Request ID 782 (tell your sales engineer to add your company to this ID) will be taken care of which means that Panorama will be able to not only forward the logs the Panorama itself created but also "relay" any incoming logs from the PA-devices. This way (since Panorama uses some kind of delivery secured method) the PA devices will only have to log once (compared to twice as today) and if the connection with Panorama is lost the logs will not be lost (as with syslog which sends out to devnull) but buffered on the PA device until Panorama returns and then fetches whatever logs were produced while the link between the PA and Panorama was down. ... View more

On the other hand this is already happening today since you use a webbrowser to configure the security rules in the PA. The same malware that could screw up clientbased compile could at the same time hide rules from being seen in your browser - rules that opens a hole through your firewall for the malware to act upon. ... View more

Are uploaded files stored somewhere within this "cloud" to be re-evaluated on a schedule? Im thinking when PA is changing what will trigger a file to be considered malware or not (like the case I found a few months ago where wildfire verdict was benign but the file was truly a very bad file) - then this "the hash matches a clean file" might not be true... Also is there a setting regarding this within WF-500, for example making a verdict for a specific hash only valid for 24 hours or so - if the file is seen again later on then the file will be re-evaluated? ... View more

Here you got some updated links regarding Arista using PaloAlto: Palo Alto Networks and Arista 100 Gbs Next Generation Firewall- Whitepaper http://www.aristanetworks.com/media/system/pdf/palo_alto_networks_arista.pdf Palo Alto Networks and Arista Solution Brief http://bit.ly/138GEO2 Arista Scale with Symmetry Guide http://bit.ly/138GNBe Arista EOS integration with Palo Alto Networks Next-generation Firewall for 100GbE: Webinar Recording http://www.aristanetworks.com/june-27-2013-webinar-recording SDN Central, Arista Networks & Palo Alto Networks -DemoFriday: Webinar Recording http://www.aristanetworks.com/en/sdn-central-july-2013-webinar-recording ... View more