About mikand

mikand · ‎03-12-2012

However it will miss the first detection and if these fake AV sites regenerate their exe files (to avoid detection from signaturebased AV's) Wildfire wont help (since Wildfire will only get a hit if the particular executable was found out to be bad AND has been seen previously by Wildfire). Wildfire will also miss it if the fake exe used a stolen cert (which isnt found out to be stolen yet) to sign the executable since Wildfire currently just ignores testing such executables. Doesnt most of these bad sites belong to the "Spyware and Adware" or "Malware Sites" url category which you could just block? I tried some urls from http://www.spywarewarrior.com/rogue_anti-spyware.htm and most of them turned up belonging to the "Spyware and Adware" or "Malware Sites" url category according to www.brightcloud.com.

mikand · ‎03-12-2012

I have never had this problem so Im just guessing now Try to enable IDP for both directions (if you didnt already do so) along with antivirus controls, botnet detection, url categorization etc - simply enable all filtering features you can find along with logging for not only session end but also session start (the later I guess could saturate the mgmtplane before the dataplane). And then its a matter of pushing traffic... if possible you could record a pcap file and then replay it using tcpreplay: http://tcpreplay.synfin.net/ Edit: By the way according to a NSS Labs test enabling ALL features of PAN actually increased the throughput so I dunno... perhaps enabling just one feature will be worser for the dataplane than when everything is enabled? 😉

mikand · ‎03-12-2012

I think there would be some custom report you should be able to setup to get these figures but I guess you want them more in realtime? Using netflow export could be one way to achieve this, otherwise I think snmp is the way to go (device -> setup -> operations). The PAN-MIB modules are available at the Technical Documentation page here at support.paloaltonetworks.com. In PAN-COMMON-MIB.my you have stuff such as (shortened): -- Session panSessionUtilization OBJECT-TYPE DESCRIPTION "Session table utilization percentage. Values should be between 0 and 100." panSessionMax OBJECT-TYPE DESCRIPTION "Total number of sessions supported." panSessionActive OBJECT-TYPE DESCRIPTION "Total number of active sessions." panSessionActiveTcp OBJECT-TYPE DESCRIPTION "Total number of active TCP sessions." panSessionActiveUdp OBJECT-TYPE DESCRIPTION "Total number of active UDP sessions." panSessionActiveICMP OBJECT-TYPE DESCRIPTION "Total number of active ICMP sessions." Once you have the utilization over time you can check the datasheets to select a proper hardware depending on wallet size and stuff like that 😃

mikand · ‎03-12-2012

I think you can solve that hairpinning with a DNAT rule if you need that (but I would prefer avoiding DNAT if possible). By front ending certs I assume you mean that the PAN will do the SSL stuff so it is SSL between client and PAN and then just cleartext (or another SSL) between PAN and the Exchange server (so that the PAN can use appid on the traffic to only allow whatever its needed)? And yes PAN can do that (if im not mistaken this was improved in 4.0 or if it was 4.1 to have several certs which you in the decrypt rules choose which to use for which flow).

mikand · ‎03-10-2012

I assume you simply clicked on the sip area in the "top applications" in dashboard and ended up in the second screenshot? My first thought then was that you would need to modify "Time" (which is currently Last Hour) but the top applications in dashboard is also regarding last hour so that shouldnt matter. Can you verify that you in your security rules have enabled logging (this is made per security rule, you would also need to add a default deny in the end and configure that to log aswell since the "hidden" last rule (not visible in GUI) which does default deny have logging turned off)? As a debug enable logging for both session start and session end (later in production you would normally just need logging on session end (if you want to keep logvolumes down) because then you get additional info such as session length and datavolume transmitted which session start lacks). I think you need to have logging enabled in your security rules for the traffic to show up in the traffic log. However the ACC shouldnt be empty... I guess you have already verified that your PAN box have downloaded the latest app-db and such (and you also commited after the download)? Also is it possible for you to update to latest 4.1.x (I think its currently 4.1.4 or so) just to rule out any known bugs?

mikand · ‎03-10-2012

Can you provide a simple network drawing of how everything is connected? Like where is the client located, where is the server located, are there any other stuff connected aswell? A quick verification if you suffer from "slowness" is to verify interface configurations. For gigabit make sure to use auto for speed and auto for duplex and verify that any switches/routers your PAN is connected to does the same.

mikand · ‎03-10-2012

The interfaces in your WS000016.JPG screenshot are which interfaces that should belong to the particular VSYS (and have nothing to do with dns-proxy to my knowledge). Like if you want to have: VSYS0: int0/1, int0/2, int0/3 VSYS1: int0/4, int0/5, int0/6 VSYS2: int0/7, int0/8, int0/9 The dns-proxy setting is which dns-proxy setup you wish to attach to the particular VSYS. The other screenshot, WS000017.JPG, displays a particular dns-proxy (in this case named "google") and the interfaces here are which interfaces this dns-proxy should be attached to. The reason for why there is an interface configuration for the dns-proxy is simply because if you have lets say WAN, LAN and DMZ as interfaces in your PAN (or VSYS in your PAN) then I would assume you would want to use dns-proxy on the LAN-interface and not on the WAN-interface (that is incoming dns-packets on LAN should be modified according to the dns-proxy setting). So for example... If you for VSYS0 setup the following interfaces: VSYS0: int0/1, int0/2, int0/3 and choose to use the "google" dns-proxy, then when you configure this "google" dns-proxy you should only be able to choose between int0/1, int0/2 and int0/3. But from what I understand with your first sentence is that you want to use different dns-server(s) for different VSYS when you configure security rules etc regarding objects based on FQDN instead of ipaddress. Unfortunately I dont think this is currently possible. Simply because the VSYS stuff is only to segment the dataplane - you will still have only one mgmtplane for all the VSYS. You setup which dnsservers the mgmtplane should use in Device -> Setup -> Services and can also configure which interfaces should be used (for example if your dnsserver for FQDN lookups during configuration isnt avaiable on the mgmtinterface but rather on int0/3 or whatever) in Service Route Configuration. So I think you will have to file this as a feature request to your sales rep that you want to be able to segment the mgmtplane aswell (or at least be able to do this for the dnsconfiguration of Device -> Setup -> Services). Also note that (at least by my opinion ) you should avoid using FQDN for network objects in your configuration. That is not only because your firewall will then rely on the output from the dnsserver when you configure (imagine what would happen if someone modifies your dns to return "0.0.0.0" for a particular host?) but also because the mgmtplane will only query your dns for FQDN during commit and translate each FQDN into an ipaddress which is then loaded into the fpga/asic. This means that if you commit at lets say 12:00 oclock and then modify your dns at 12:01 oclock the firewall will still only allow (or deny depending on the rule) traffic for the old ip.

mikand · ‎03-09-2012

How did you search for it in the traffic log?

mikand · ‎03-09-2012

Sounds like you should file this as a bug through your sales rep. I think its still somewhat uncommon with IPv6 and those who did the switch use IPv6 instead of IPv4 (no dualstacking) so they wont stumble into the bug you just found. There are also methods to use 4to6 and 6to4 if you use devices such as BIG-IP from F5 (among others) so this will also avoid dualstacking on the servers (with 4to6/6to4 your servers can still be IPv4 native and the loadbalancer will take care of the transition).

mikand · ‎03-09-2012

No need to use NAT in your case. I assume your fileserver1 have a defgw which points to your router. You can then put a static route entry in your router to point out where the wifi-clients are connected (iprange of wifi-clients with nexthop to your PAN box - I assume your network is similar to router <-> PAN <-> access-point <-> wifi-clients). Or am I missing something here? Then in your PAN you can as debug just allow appid:any, service:tcp9191 to see how PAN will detect the flows and once found out limit the appid to only use the detected application(s).

mikand · ‎03-08-2012

I guess you have already seen a similar case in this thread? https://live.paloaltonetworks.com/message/11918#11918

mikand · ‎03-07-2012

Hopefully you have your clients segmented away from the servers which gives that adding only the clientip ranges should be enough (and most optimized). For clients from for example Internet I assume you use some kind of VPN and this will have internal ip's that your internal firewall will see. I imagine that if you add 0.0.0.0/0 as ip range the user-id agent will try to resolve connections it doesnt have to, like connection from another server. But sure - if the process running on the source server is using a specific account you could use userid to limit not only on zone, ip, service (port) and appid but also userid. But I dont know how user-id agent is compatible with such approach (since on the server there is normally noone logged in on the console and each process runs with their own user).

mikand · ‎03-07-2012

Verify that you have SSL-inspection/SSL-termination/SSL-decryption in place: https://live.paloaltonetworks.com/message/12102#12102 https://live.paloaltonetworks.com/message/11110#11110 https://live.paloaltonetworks.com/message/3891#3891 The last link is a bit old so I dunno if thats still valid. I also recently saw a thread in this forum regarding captive portal but I cannot locate it currently. I dont remember if it was something fixed with newer PANOS (like 4.1.3 or 4.1.4) or that the security rule needed to include the ip of the PAN itself in order to make captive portal happy.

mikand · ‎03-07-2012

According to tests performed by NSS Labs the PAN devices datasheets are underrated rather than overrated. One of the tests showed 115% performance of the stated throughput for a particular model (I think it was a box from the 4000 series). First of all having a high "cpu usage" for the dataplane isnt a problem as long as the usage isnt at 100% which you will then notice will affect the latency and then throughput and stuff like that. Which PANOS do you use and when was it you last rebooted the device? Of course rebooting the device should only be necessary doing firmware updates but if there is something stalled which gets fixed by a reboot (but then returns after some time) you should contact your sales rep. to file a support case so some support engineer can bring you a list of commands to run to identify what goes wrong (in case there is a hardware malfunction or something else). I have seen reports in this forum that older versions of 4.1 might have had some issues but it seems that 4.1.3 and 4.1.4 solved those.

mikand · ‎03-07-2012

Since you can setup QoS in PAN using appid's I think it should work to add QoS rule that will prioritize ipsec (or subtypes ipsec-ah, ipsec-esp, ipsec-esp-udp, ike depending on your needs) for the physical interface. The tricky part here is that QoS only works for egress traffic. To bring QoS for incoming ipsec traffic you would need to do equal stuff in your switch/router which your PAN is connected to.

Member Since	‎03-30-2010 08:39 AM
Date Last Visited
Posts	1,446
Total Likes Received	496

About mikand

Re: What is your experience of using site-to-site VPN with PA devices and how is the performance?

Re: Azure VPN Tunnel configuration MTU adjustment

Re: What the different between 'count' and 'repeat count' in the report?

Re: HA Cluster different transceiver type on each firewall

What is your experience of using site-to-site VPN with PA devices and how is the performance?

What tunnel options do you have for site-to-site using PA devices?

Re: PAN response to: Attacking Next-Generation Firewalls: Breaking PAN-OS ?

Re: PAN response to: Attacking Next-Generation Firewalls: Breaking PAN-OS ?

Re: PAN response to: Attacking Next-Generation Firewalls: Breaking PAN-OS ?

Re: PAN response to: Attacking Next-Generation Firewalls: Breaking PAN-OS ?

PAN response to: Attacking Next-Generation Firewalls: Breaking PAN-OS ?

Re: Feature Request

Re: When should I use a non-tunnel mode gateway with GlobalProtect? Also: license needed for HIP? SSL vs. IPSEC?

Re: Pc does not join into Domain

Re: Overcoming an application filter and url groups

Re: Encrypted and Zipped files with virus in it

Re: Rogue/Fake Antivirus Malware detection?

Re: Increase Data plane CPU on PA-500

Re: Sizing PA Devices

Re: PA 500, Hairpin routing and front ending certs

Re: Bittorent session identification

Re: how to configure PAN to work as proxy

Re: How does dns-proxy in Vsys Configuration works?

Re: Bittorent session identification

Re: IPv6 and IPv4 addresses in same security rule?

Re: Help to create rules for PAPERCUT (Printing program) for Wireless users on a Separate VLAN

Re: 2050 running high dataplane CPU

Re: User-ID on incoming connections

Re: Is HTTPs traffic correctly rdirected in PANOS 4.0.8?

Re: 2050 running high dataplane CPU

Re: IPSec Tunnel QoS

Unlock your full community experience!

About mikand