About mikand

I guess you would just bitchslap me if I returned your "Patience, Daniel-san..."? 😉 ... View more

My best friend in these situations tends to be to grab a copy of: Command Line Interface Reference Guide and Administrator's Guide from "Technical documentation" at https://support.paloaltonetworks.com/index.php?option=com_pan&task=tech_docs&Itemid=141 and use CTRL+F in my favorite pdf-viewer (which currently is SumatraPDF, I got a bit allergic to all vulns that Adobe puts in their products). ... View more

Can you bring a more specific example? You can use an application filter to create a custom filter which is based on for example "all appid's which match subcategory:email" or "all appids which match characteristic:evavise" etc. These are dynamic and are based on the classification made by PA in the app-db (for example if PA removes Zimbra from the subcategory email then Zimbra will not be allowed/denied by your security rule using this particular filter next time the app-db updates or an administrator commits the ruleset). When you create an application group (compared to application filter) you select specific appid's to be put in your custom group. For example creating an application group named "server-mgmt" which will include appids: ssh, snmp, snmp-trap, syslog, ntp and ping. These are static (only the stuff you selected for your custom application group will be used) and will only change if an app-id change name or is completely removed (I think you will get an error during commit so you need to fix the application group who now points to an app-id which doesnt exists if that case would happen). Edit: The above is just for the appid stuff. You can then also setup custom service groups which means which ports (TCP/UDP/ICMP + port number) you which to allow for your security rule. If you use the custom application group "server-mgmt" as described earlier you can select "any" (which means all UDP/TCP ports will be open and flows will be killed once detected not belonging to any of the appid's selected for "server-mgmt" - in my opinion should be rarely used because you will expose the stuff you try to protect), service-default (based on the default ports which each appid claims to use) or custom (either specific UDP/TCP + port or by a custom service group in case you have a bunch of ports such as TCP22 + UDP161 + UDP162 + UDP514 + UDP123 + ICMP Echo-Request, ICMP Echo-Reply). Also note that the "server-mgmt" is just an example. In real life I would limit it down even further. Like snmp traps is usually sent FROM a server and not TO a server (except for the server collecting the snmp traps) and so on. ... View more

Ahh yes, I didnt have a PA device close by when I wrote that msg but looked at what Brightcloud (which delivers the current url-db to PAN) called it on their site 🙂 http://www.brightcloud.com/support/changerequest.php (have the list of current categories). ... View more

You can either create your own app or in the setup of the security rule just define something like (if you dont care about the application and only want to filter for ports): appid: any service: 12345 where service can be a port straight away or you can create a custom servicegroup if there are several ports to be used. ... View more

You can setup a SSH decryption policy to handle ssh vs ssh-tunnel. But I dont think it currently supports stuff like v1 vs v2. Look at page 143 in the PA-4.1_Administrators_Guide.pdf for more info. I think you need to contact your sales rep. to file this as a feature request. ... View more

Will the PAN send a TCP-RST or FIN-ACK when a POP3 msg is detected containing malware? If not... wouldnt it be possible if the PAN just block the download and when the client restarts it (within the same TCP session) the PAN would just return a "-ERR message infected" or similar so the client can continute with next message (depending on email client used)? A wellwritten email client would then just continue with the other messages. http://www.ietf.org/rfc/rfc1939.txt ... View more

According to: https://live.paloaltonetworks.com/message/10099#10099 and https://live.paloaltonetworks.com/message/7904#7904 it seems that PAN currently doesnt support ECMP (Equal Cost MultiPath). But I think it should support "unequal" multipaths since this is the base of most dynamic routing protocols (only the "best" route will be loaded into the fabric and when this route fails the dynamic routing engine will select next route and load that into fabric). So your best choice is to contact your sales rep. and issue this as a feature request (dont forget to return to this thread with an update on how it goes). Regarding floating ip's those are only available (to my knowledge) in active/active setups. That is because in active/passive its the very same config thats loaded in both devices (and the unit who is currently passive is simply virtually shutdown except for the mgmt interface and HA-links). While in active/active both devices must be online and VRRP (or similar) is being used (each unit have a physical IP address and then shares one or more floating IPs). ... View more

Can this be fixed or is this a hardware limit or such in PAN? Because I find it too a bit odd that only a single category would match. The www.nudetravel.com is a great example. If this url would be categoriesed as both "nudity" and "traveling" and I setup a security rule to block access to travelsites I expect this rule to get a hit for "www.nudetravel.com" without me having to manually create my own url-category database (because thats the whole point of buying an url-category db license to not having to maintain your own url-db except for a few "false positives" or "unknown" sites). The same if I setup a security rule to block "nudity", I expect that the same url would get a match here too. ... View more

Some additional comments on previous points: 1) As a test (if possible) you could setup a security rule that acts just on src/dstzone such as: srczone: LAN dstzone: DMZ appid: any serviceport: any user: any action: allow and then (when you identified what was incorrect and fixed it) limit it down to correct appid/serviceport. 2) If the LAN interface is on the PAN you need to setup a management profile aswell that will allow the LAN interface to be pinged at. 3) I think the following will work better 😉 ping source 192.168.1.1 host 192.168.1.2 4) In my experience this is quite common (given the symptomes presented). Verify that the client have the LAN-interface of the PAN as defgw (10.155.10.10) and also that the proxy have the DMZ-interface of the PAN as defgw (192.168.1.1). Also verify again that you have correct ip-addresses AND netmasks on both proxy and client (so it doesnt say 192.167.1.2 instead of 192.168.1.2 or such). Easiest is to just run "netstat -rn" to see current routing table. Since both proxy and client are "directly attached" you wont need additional routing rules in the PAN box. However if you have linknets then you would need to add additional routes in "virtual router" in the PAN. 5) Also check the arp entries on the proxy and client itself such as "arp -a" or "arp -an". ... View more

There is an URL-category named "CDNs" which you could use for this. Otherwise you can create your own custom URL-category where you include the CDN's you wish to allow. Its not uncommon that a site such as "www.example.com" will use "cdn.example.com" as their cdn url (which then points to akami or whatever CDN is being used). ... View more

Im a bit allergic that just because its signed it will be marked clean. Didnt Realtek got their signing cert stolen a few years ago (and some others last year)? This way wildfire will fail detecting future stuxnet-like malware. Perhaps the GUI of wildfire should be upgraded to handle this case? Like yes this app acts very odd but its signed by a "trusted" issuer. And where can one see which certs the wildfire trust by default? I think this can be bad for the reputation of wildfire if badware wont be detected due to that PA for some reason trusts a specific vendor. ... View more

What does your traffic log say? Are you allowing web-browsing (or which application is identified)? ... View more

Which version of PANOS do you use then? Commiting a somewhat clean setup (inlcluding threat prevention and url categories etc) on 5xxx boxes took just seconds with 4.1.x compared to older versions of PANOS. It would be interresting to see "guidelines" in case one think commiting takes too long for what one can check for. If you have riddicolous large app filters then I can understand why it will take a few more seconds to compile the security rules but at the same time this is the point of using app filters. Will for example disabling "rematch flows to new security rules" (or whatever that setting is named) change the speed of commits? Or is the commitspeed purely a mgmtplane thing to compile the code which the FPGA/ASIC will be loaded with? ... View more