About mikand

Oh yeah that part, hmpf... Yeah wait for symmetric return to arrive and it will fix these problems 🙂 ... View more

I think you should be fine if you setup just two DNAT rules. (example) untrust -> trust 0.0.0.0 -> <firstip> forward: <exchangeip> untrust -> trust 0.0.0.0 -> <secondip> forward: <exchangeip> Im not sure if PA will then see this as a single flow and do the SNAT for you (I mean if client speaks to <firstip>, will the reply which <exchangeip> sends back to the PA device automatically use <firstip> as source when sending the reply back to client?). For the flows which the <exchangeip> initiates on its own I dont think you would need a SNAT rule for that (unless your exchangeserver use a private ip and you need to speak to internet). ... View more

1) Also to take into account (if we use my numbers as example) what you need to compare is the cpu usage of: - Running userid locally and only tail localhost. vs - The DC must maintain a feed to 10 userid servers (which per DC would mean approx 30Mbit/s in this example). 2) This is already handled (in my example) because there is a 1:1 relation between each DC and the userid process which the PA connects to. If the DC goes down then the service is unavailable for this particular DC - so from the userid point of view there is no loss. If the DC dies (and therefor the particular userid service) the dead DC wont be able to login any new users anyway. DC2 (which runs its own userid service taling localhost) will handle new logins to the network and with the help of the userid process notify all PA boxes which user is using the particular ip who just logged in. Regarding security concerns I assume you already runs at least a third party antivirus software on your DC's to protect them somewhat from bad stuff. Also even if you use dedicated userid servers they should be protected equal way as each DC (or even more since DC's can be readonly (well somewhat readonly at least)) because what the userid tells the PA will result in which open holes will exist in your network (for example between clientnetwork and a specific server). I mean instead of trying to hack the DC or some AD accounts you could try to hack the userid server instead to gain access (at least access so your bad packets will hit the server you are interrested in). ... View more

My thoughts was regarding an (imaginary) situation where you have (for example): Background: 5 sites with PA-devices (lets say two failover pairs like one pair for external communication such as Internet etc and one for internal communication such as servers etc). Which gives 20 PA-devices in total (5 * 2 * 2 = 20) - (im not sure if the passive unit will be connected to the userid server or not, anyone who knows?). And at the same time 25 locations with two DC's at each location. Which gives 50 DC's in total. Along with 10.000+ users... A simple setup (regarding userid) would then be two userid agent servers per site (for redundancy) which bring you 10 userid agent servers in total. Each PA would then have a list of 10 userid servers (or just 2 from the local site if you need to be gentle with the wan - however the amount of traffic between PA and userid server is far less than between userid server and DC) According to a previous post its reasonable to assume that traffic load between one userid agent server and a DC would yield approx 3Mbit/s (or so) specially with many concurrent users. Because all users can reach all sites each userid agent server must tail ALL the DC servers who exists in this network (50 of them). This means that each userid agent server would have a sustained rate of approx 150Mbit/s (50 * 3Mbit/s = 150), which with 10 of them means you would have a network load of 300Mbit/s per site just for the tailing (and that is if we assume in this calculation that the DC's isnt available on the PA sites otherwise there will be even more traffic). Now... If we instead install one userid agent server (service) on each DC and configure it so it will only tail localhost and nothing more (relation would be 1:1) then yes each PA device would need to connect to 50 userid servers (instead of "just" 10 as previously). However the traffic between each PA and each userid server is far smaller than the "tail -f" which the userid agent must process if the DC isnt installed on the same box. Also if one DC goes down this doesnt matter since this particular userid server will be unavailable BUT this particular userid server only monitored this particular DC (since it was the same box). Which leaves us with the question of how demanding is it to run a userid server service? Since the traffic never goes out on the network it should be a few percent less load on the service itself (less waiting) and since this service also only monitors localhost (and NO remote hosts, perhaps only some exchange server if needed) then the load (I imagine) shouldnt be higher than if you open up the eventviewer on the DC and stare on each row who is flowing by (which should take more resources since the eventviewer draws to the screen which the userid process doesnt really have to 😉 The above is with the assumption that the DC's doesnt replicate the security log between each other which means that each userid server must tail all your DC servers in your network otherwise you will end up with blind spots. Or how can this otherwise be setup (setting higher timeouts isnt an option because this would mean higher probability that wrong user is logged in the PA-device)? ... View more

How come its not recommended to install it on the DC itself? If we take larger installations there will be shitloads of networktraffic for the userid agent when its tailing the security logs of all DC servers (specially when you have more than a few DC servers in your network). ... View more

Is that article related to https://isc.sans.edu/diary/IP+Fragmentation+Attacks/13282 ? Edit: I can answer myself, no it doesnt seem to be related but I think it would be great if some PA representative could respond to above link aswell (regarding how is PA devices handling the case)? ... View more

Just to verify... when you say that the attack continues - do you mean that each attempt is logged as "block-ip" in the PA-logs or do you mean that each attempt is actually reaching the target server (like if you run tcpdump on the server you would still see each attempt)? Because if its the first case then I guess it can be because you have a "deny and block" rule as last rule in your ruleset or anyway I think each attempt should still be logged (or have an option if only the first block-ip for a particular srcip should be logged). ... View more

Check in service route configuration (Device > Setup > Services, click on Service Route Configuration) if you can reroute just the uploads to use a specific dataplane interface instead of the mgmt-interface. ... View more

Also enabling WMI and disable NETBIOS seems to be recommended (given that your clients provides a WMI interface for the server running your userid agent). ... View more

You could do this by adding an allow rule before the block rule like so: 1) appid: facebook url: www.facebook.com/mybusiness action: allow 2) appid: facebook (or how your block rule looks like) action: deny Since PA uses top-down first-match visits to your business page would trigger first rule while other visits would trigger second rule. Problems on the road: * How are logins to facebook handled by PA (you might need to whitelist the login url aswell)? * Even if you have www.facebook.com/mybusiness the other stuff on your page will be regular CDN stuff from facebook (which would be blocked by the second rule). To fix that second problem you could create a custom app using facebook as parentapp (or web-browsing) and then add stuff like HTTP-HOST (*.fb.com or whatever the CDN is called) and HTTP-REFERER (^www.facebook.com/mybusiness). The problem now becomes that if any of your clients modify their browserheaders to include www.facebook.com/mybusiness as referer they will be able to access facebook (depending on which HTTP-HOST names you included in your custom app). ... View more

I hope any of these can help: 'infra-group: restarts exhausted, rebooting system' and Firewall REBOOTS random https://live.paloaltonetworks.com/message/14634#14634 PAN-OS Software Buffer Leak, Issue ID 36829 https://live.paloaltonetworks.com/docs/DOC-2847 Critical Issues to be Addressed in Future PAN-OS Releases https://live.paloaltonetworks.com/docs/DOC-1982 So this can happen either if the swap is runned out or by buffer leaks. ... View more

If im not mistaken PA has added autorestart of failed services at the mgmt-plane. One such case (as example) was the failing SSL-termination in 2xxx models. With the autorestart of hung services the box could continue operate (with little loss of functions (only time between the process hung and that the process had been restarted again), compared to if the SSL-termination halts and you find out about this hours later). I think that if a specific service have been forced to restart several times the PANOS will restart the whole mgmtplane instead, but this shouldnt affect the dataplane (the whole idea of separate mgmt- and dataplanes, except for the stuff thats handled by the mgmtplane like updating userid relations and issue the ssl-termination certs (which also is different in different models where this is taken care of)). ... View more