About mikand

You create a new CA to be used for this purpose. The CA public and private cert is then imported to the PAN so it can create the MITM certs on the fly to perform the SSL-termination/inspection. The CA public cert is then imported to the client as a trusted issuer. The CN used for the CA is the line your browser will display when you click on the lock (in the browser) and it says "This site has been verified by XXX". ... View more

Hopefully this thread will help you: https://live.paloaltonetworks.com/thread/1459?tstart=0 It seems that PAN currently doesnt support 802.3ad (LACP) but it supports PAgP (Etherchannel) if im not mistaken. On the PAN you setup an aggregated ethernet group which you bond to each physical interface. Then in the configuration of the ae-group you setup the ip address (if needed). One note is to verify which port-channel load-balance method you use. I think srcmac+dstmac is default which makes that your extra interfaces in the ae-group will basically just idle. If you change this into src-dst-ip or src-dst-port you will get a better loaddistribution (given that your equipment supports such loadbalance method). My favorite choice is to use srcip+srcport+dstip+dstport as loadbalance method (again given that your equipment supports such setting). For more information: http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml ... View more

You can request app enhancement from the Apps and Threats Research Center. http://www.paloaltonetworks.com/researchcenter/tools/ From there you can click on Submit an app and provide details there. ... View more

I reuse this thread since this is a semi high availability question regarding Panorama. Is it possible to setup Panoroma this way? 1) One Panorama at each site (datacenter). Well of course this on its own will work but this is just to explain what Im thinking of 🙂 2) Devices at siteX will log to Panorama at siteX. This is also pretty straight through since you setup the ip of the Panorama in each device. 3) Each Panorama will then send a copy of the logs to a syslogserver (along with adminlogs). Is this possible today? Or must each device send the syslogs to the syslogserver? 4) Configurations are synched between all Panoramas so it doesnt matter which Panorama the administrator logins to in order to change a security rule or such. This is the main question. The idea is that logs are handled locally at each site (datacenter) where configurations are redundant at all Panoramas. Like a clustering feature of Panaroma. The point here is also to keep the logs locally (no need to synchronise logs between Panoramas/Sites in this case) but as backup the archive feature will be used. ... View more

As far as I know when you use active/passive it will be the same configuration in both. Meaning both devices will have 192.168.1.1 but the one who is passive will have its interface "shutdown" until it detects that current active device is long gone... then it will turn on its interface and send out gratious arp so switches and closeby devices will update their mac-address tables. ... View more

WTF a cliffhanger? 😃 ... View more

How is your userid stuff setup and is it possible for you to update to 4.1.3 or which version is the currently latest for both PANOS and the userid agent? ... View more

In Device -> Setup -> Session you can alter some of the SSL settings such as: CRL Enable Receive Timeout OSCP Enable Receive Timeout Block Unknown Certificate Block Timeout Certificate Certificate Status Timeout When you setup the SSL-inspection the certificate used can have various options such as: Forward Trust This certificate is presented to clients during decryption when the server to which they are connecting is signed by a CA in the firewall’s trusted CA list. If a self-signed certificate is used for forward proxy decryption, you must click the certificate name in the Certificates page and select the Forward Trust Certificate check box. Forward Untrust This certificate is presented to clients during decryption when the server to which they are connecting is signed by a CA that is not in the firewall’s trusted CA list. Trusted Root CA The certificate is marked as a trusted CA for forward decryption purposes. When the firewall decrypts traffic, it checks the upstream certificate to see if it is issued by a trusted CA. If not, it uses a special untrusted CA certificate to sign the decryption certificate. In this case, the user sees the usual certificate error page when accessing the firewall and must dismiss the warning to log in. The firewall has a large list of existing trusted CAs. The trusted root CA certificate is for additional CAs that are trusted for your enterprise but are not part of the pre-installed trusted list. SSL Exclude This certificate excludes connections if they are encountered during SSL forward proxy decryption. Certificate for Secure Web GUI This certificate authenticates users for access to the firewall web interface. If this check box is selected for a certificate, the firewall will use this certificate for all future web-based management sessions following the next commit operation. So you can enable "Block Unknown Certificate" and then use a specific CA as "Forward Untrust" which is blacklisted in your clients browsers (like one CA for "Forward trusted" which is added to the list of trusted issuers in the client browser and another CA for "Forward untrusted" and have this CA blacklisted at clientside). Question here is how to block the client from just override the warning that the cert is issued by un untrusted (or blacklisted) CA? I dont know if just enabling "Forward Trusted" is enough to accomplish this (if im not mistaken this means that untrusted SSLs are just forwarded without inspection to the client which would be really bad). What I have failed to find out is where to see a list of which Trusted CA's the PAN unit will approve? And how to manually remove one (or many) CA's from this list (this way one would not have to wait for PA to release an update next time Verisign, Globalsign or some other CA gets hacked)? ... View more

Sounds like a browserbug because an HTTP error should be displayed for the client even when using POST wouldnt it? ... View more

The thing is that PA doesnt care about ports unless you limit the rule by specify which ports you wish to allow through in "service" column. So if you allow skype and nothing else then only skype should be allowed. However if a specific flow first acts like skype and then change into bittorrent then it should been blocked (if you only allow skype). ... View more

If im not mistaken the logs in PA should show you which rule allowed the traffic. Verify so you dont in an earlier rule somehow allow bittorrent (since PA use a top-down first-match rule-engine similar to cisco acl) either directly (like allowing risk=5) or indirectly (allowing appid=any where you through you would just let some ipaddresses through without filtering or such). ... View more

Oops 🙂 Disallow "view as html" in your email clients then - problem solved... NEXT! 😉 I think this is a bit tricky... Even if you do succeed with a DLP rule (detecting when a client tries to download "*_.exe") you would fail when the attacker change this "_" into "." or whatever char. I think you could try setting up a URL-category filter and filter on urls ending with _.exe A better approach would perhaps be to setup a continue page for all kind of .exe downloads (including .pif, .bat, .whs and other shit which the microsoft operatingsystems (windows) swallows without blinking). I still believe that the blocking of these mails should be able to be taken care of in your mailserver but sure add the above methods to take care of the case when the spam bypasses your mailfilters and your clients are a bit too triggerhappy regarding clicking on links. ... View more

If you dont want to block all .exe's sent to your mailserver then I think its best to setup this rule within the mailserver itself to not forward mails that contains "*_.exe" attachments. Because when you try to do this with DLP (Data Leakage Prevention) rules you might get false positives when someone just in the body of the mail types "blablbla _.exe" since the DLP is looking on the stream passing by and not "exploding" the transmitted object into stuff like attachment etc. On the other hand writing a custom threat prevention rule should be possible for this. Also note that the filenames can be encoded in various ways so a DLP rule will miss some of those mails aswell (unless you write a rule that covers all variants). Use whitelisting is a far better approach (hitrate wise) than blacklisting due to the number of ways of encoding and other tricks to avoid detection. ... View more

Isnt this just a cli bug (which of course should be taken care of but still)? I mean what happens if you setup a rule that block access to "Health and Medicine", are you still able to access www.aetna.com ? ... View more