About mikand

Im not sure I fully understand what you mean... Could you bring two examples (or screenshots) on before and after regarding this particular security rule? ... View more

Yes if you run a proxy that can act in transparent mode such as the Färist proxyfirewall (www.tutus.se) among others. Meaning that it will keep the srcip unaltered even if the client uses the proxyfirewall as a forward proxy (setup proxysettings in their webbrowser). This way you can use: [User]------[Proxy]------[Paloalto]-----(internet) in two modes: 1) forward-proxy The user setup the proxysettings in their webbrowser to point to the proxy. The proxy will then do nameresolution and surf on behalf of the user. The srcip hitting paloalto is the actual user srcip. Paloalto will then NAT outbound traffic towards internet so you get: - User calls 10.0.0.1:3128 for http or 10.0.0.1:3129 for https (ip of proxy - preferly RFC1918 network). - Proxy will query DNS and then setup a http/https towards the public ip on the Internet. - Paloalto will NAT the user srcip before traffic leaves on the internet-interface. 2) transparent-proxy The user will browse on its own straight to the public ip's on the internet and the proxy will be completely transparent for the user (except for errormessages and such). - User will query DNS and then setup a http/https towards the public ip on the Internet. - Paloalto will NAT the user srcip before traffic leaves on the internet-interface. Personally I would prefer the first method because then you can setup triggers in your SIEM so it will scream if packets with public ip's is seen in the core (between User and Proxy) - because this would be a good sign that something is bad with a particular client (like a malware got through). Also because you have a proxy between the paloalto unit (who sits next to Internet) and your internal network this proxy could also protect inbound connections which the paloalto device does towards the panagent servers in order to find out userid of the srcip's it is seeing. ... View more

At least that workaround is not worser than when using most other firewalls 😉 ... View more

You can setup L3 on the other interfaces (which are not part of the vwire configuration) if you wish? But in theory I think it should be possible - I mean vwire isnt directly magical (even if it might feel like magic 😉 I would like to say that vwire is similar to how you can setup a cisco switch with a SVI (Switch Virtual Interface): interface FastEthernet1 switchport access vlan 123 switchport mode access switchport nonegotiate ! interface FastEthernet2 switchport access vlan 123 switchport mode access switchport nonegotiate ! interface Vlan123 ip address 10.0.0.1 255.255.255.0 In the above case stuff that enters FE1 will most likely pop out at FE2 and the other way around - however if the packet arriving to either FE1 or FE2 have dstip=10.0.0.1 then the switch itself will respond. ... View more

Page 2 at http://media.paloaltonetworks.com/documents/App_ID_tech.pdf have a brief description on whats going on inside a PA device when a packet arrives. I have seen numbers of 14 and up to 20 packets being mentioned before final decision that a flow is unknown, but I dont know if these figures are true or not. However it can go faster to decide that a session is unknown. For example: CS: SYN SC: SYN+ACK CS: ACK CS: "a b c\n\n" SC: HTTP ERROR 400/Bad Request = unknown (if im not mistaken). In the above case there was only needed 2 packets (or 1 packet in each direction if we exclude the initial handshake) before the flow isnt recognised as any known application and because of that classified as unknown. There are other cases aswell. For example if you start a session like DNS but in the middle start to do other things then the DNS decoder will not recognise the traffic and because of that switch the flow out of the DNS decoder and identify it as unknown. When next packet arrives the PA unit can take a new decision what kind of traffic is passing through (so you in the log can see how a single session hops between identified applications). ... View more

Something like this? Strong authentication for Palo Alto Secure Access SSL VPN Solutions | Nordic Edge | The Provider of Secure Identity Solutions ... View more

The regular method of using dedicated userid/pan-agent servers will most likely not scale that well for enterprise use. You might consider install the userid/pan-agent service on each DC and lock it to only follow the security log from localhost. That is because the userid/ip mapping is done by tailing/following the security log (events 672, 673 and 674 for Win2003 DCs and events 4768, 4769 and 4770 for Win2008 DCs) and when a user logins to the domain only the DC who authed the user will log its presence (the security log is not replicated within the domain for some odd reason). With a network of just 2 DCs this is not a problem (even if you have 10.000 concurrent users). But if you have lets say have 50 DCs (with 10.000 concurrent users) the math will be something like (with 2 PA devices): - Dedicated userid/pan-agent servers (tailing security log of each DC over the network): 50 * 5Mbit/s * 2 + 2 * 0-100kbit/s ~= 500Mbit/s network load (5Mbit/s is estimated network load to follow a single DC in an environment with approx 10.000 concurrent users). vs. - Userid/pan-agent installed on each DC (and configured to only read the local security log): 50 * 0-100kbit/s * 2 ~= 0-10Mbit/s network load (that is each PA device (2 of them in this example) will connect directly to each DC (who runs the userid/pan-agent service)). Having that said there are a number of quirks that one must be able to handle. One is how large TTL/cache timeout would you use? Too small will raise the bandwidth needed for the userid stuff (along with cpu usage of mgmtplane) while too large will end up with wrong user might be logged. For example if user1 logins, then unplugs their laptop and then user2 (who already is logged in) plugs their laptop into the network and get the same ip as user1 (just an example). If you have a TTL of 1 hour then the log in PA might display the incorrect user for up to 1 hour. So the fix here is obviously to choose as small TTL/cache timeout as possible. Another fix to better track users is to enable WMI lookups along with server logs inspection (for example inspect logs of ms exchange server) - this way you will have more sources to have your user-ip mapping better updated. Another quirk which comes from how AD works is that there doesnt seem to be any logout event, basically because users can hibernate and all sort of things (or just unplug their box). A workaround for this is to use the XML api of PA and perhaps write your own syslog tail script that could inspect arp logs from switches and other stuff in order to invalidate specific ip addresses. The above is to track users who are logged in to a AD. Another tracking method is the ts-agent. However ts-agent is meant to be used on citrix servers and works by informing the PA box which user is currently logged in and which srcport range is associated with this client. When doing stuff from a citrix server each client gets a dedicated srcport range which gives that the ts-agent have a better "hitrate" than the AD-tracking pan-agent but at the same time they are meant for different purposes. I think globalprotect (without the VPN stuff) can also be used to also inform your PA devices who is logged in at a specific srcip. ... View more

I cant answer your specific question but when using the recommended setup of: Critical: block High: block Medium: block Low: default Informational: default the threats classified as critical, high or medium will then be blocked no matter what their default action is. My guess is that the risk of false positives is a major factor of why not more critical and high threats have block as their default action. This becomes more obvious when you look at the low and informational threats. One of them is a signature for url's in pdf's. I mean - pretty common these days but also common for pdf's containing exploits. So if you would block such pdf's you would most likely get shitloads of false positives which then would hide the true threats (pdf's who are actually infected). But on the other hand if you know that for example one of your fileservers (which you wish to protect with a PA) never would contain such pdfs you could use this threatid without any false positives. ... View more

According to the admin guide (page 178) you can setup custom IPS signatures based on SSL so I hope its possible to setup a vuln signature regarding ssl negotiation which you then block if this comes client -> server. Unfortunately I currently dont have any example on how to setup such signature. ... View more

I think this was the thread I was thinking of: ... View more

If you are lucky you have a backup of running-config from when it didnt work which you run a diff against your now working running config (and get back with the results)? ... View more

Look in Policy -> Decryption, did you perhaps setup some SSH-termination or such? Or do you use NAT either SNAT or DNAT (im thinking if there is some setting in your ssh-client who then mismatches but it shouldnt but still)? ... View more

The Common Name says www.facebook.com so it shouldnt be that. However Facebook seems to use a new cert issued 2012-06-21 that perhaps for some reason isnt recognized by PA as a visit to Facebook? Is the blockpage not visible even if you do SSL termiantion (ssl-proxy) in your PA towards your clients (because then the PA can look inside the encrypted traffic and see the actual GET/HEAD request and the URI used there)? ... View more

Isnt RSA512 just really bad? At least use 1024 if your have performance concerns. FIPS 140-2 states one should use 2048 while EU-CRYPTII says something like at least 2444 bits for assymetric encryption (in reality 4096 is the next step). A true CA should use as high encryption as possible for example 16384 where the issued certs uses 4096 or such. ... View more

Also since this is a continue-page you can put your images as base64-encoded css stuff. The upside is that everything the client need to properly display your continue-page incl logotypes etc is within the html-code. The downside is that there is a size limit on how large the html code can be thats being stored as a continue (or other type of block) page in PA. Edit: Here is the doc I was thinking of describing how to setup base64 images through css-style sheet: ... View more