About mivaldi

This forum is for non customers facing false positive detections in VirusTotal. Please open a support case. ... View more

PAN-OS 10.0.8 is currently targeted to release mid to late October 2021. ... View more

Sounds like a true positive. There are 105 signatures with that name so it is hard to guess which one you're getting. Please open a support ticket. ... View more

You can mitigate this vulnerability by having traffic that routes to the management interface be scanned by a Vulnerability Protection profile which should be set to reset-both on High severity vulnerabilities. Since the firewall does not run IPS on the traffic destined to the management *port*, the recommendation implies that you would either force management traffic through the firewall, or migrate the WebUI management of the device to a data port for in-band management (where the Vulnerability Protection profile can scan the traffic) using an interface management profile, and/or, mitigate risk by restricting access to the management port. This is covered in our documentation at https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.html   Other than the in-band solution, a few ways to force traffic through the firewall for out of band management are to: 1) Create a Layer 3 interface in a spare data port on a separate Management Zone, associate a management interface profile to it, and define all service routes to source from this interface. Define an intrazone security policy for the Management Zone with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires a single spare data port.  or, 2) Create a vWire on two data ports, connect one port of the vWire to the management port and another to your management network switch. Define a security policy for the vWire with an associated Vulnerability Protection profile to have the traffic scanned. This solution requires two spare data ports. The advantage in this scenario is that it provides true management isolation and that for any required services that do not honor Service Routes, traffic will continue to source from the Management port.   By the way, 10.1.2 and 9.1.11 have already released. ... View more

以下是 PANOS 10.1 中的新功能 https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/features-introduced-in-pan-os.html ... View more

This is a benign Let's encrypt domain. The URL categorization has been cleared. There was an issue that was resolved in 9.0.10-h2, 9.1.6, and 10.0.2, that caused URL's previously in a malicious category to get 'stuck' in that malicious category in the Firewall's DP Cache. See https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCgjCAG If you are running a PAN-OS version that is higher than the ones mentioned above, and you see the URL categorization stuck in a malicious category, even after it being cleared out to be Benign (verifiable in Test-A-Site), please open a Support case to have the issue investigated for root cause. ... View more

The issue is resolved in latest Content 8424. ... View more

You should try using a targeted security policy with a Custom URL entry to match the URN of interest in the Service/URL Category tab of the Security Policy Rule. You will then apply the restrictive Vulnerability Protection Profile with an Exception set to block on your Custom Vulnerability Signature. Note that given that these are HTTP(S) resources, this is dependent on successful TLS decryption. ... View more

Here's another resource that can be helpful:   https://github.com/gogasvig/cpsmine ... View more

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds   Palo Alto Networks Professional Services can also assist with this task. ... View more

Full FQDN blocking on SSL encrypted websites is only possible if the Web Browser being used declares it in the Server Name Indication (SNI) extension which is optional, or if it matches literally with the CN presented in the Server's Certificate. Besides the Web Browser choosing not to expose the FQDN in the SNI, there are two other situations that can prevent URL Filtering matching: 1. The browser in use is Google Chrome, and the connection is established using the QUIC protocol instead of using HTTP(S). The solution is to create a Security Policy at the top of your security policy set blocking application 'quic'. 2. The browser in use is encrypting the Client Hello (ECH) or encrypting the SNI (also known as ESNI), which are options in TLSv1.3. In that case you will not be able to read the SNI and you may need to resort into taking a decision based on the validity of the Root CA signer. You can set a decryption profile without rolling out SSL Decryption, and check with a no-decrypt Decryption Policy to see if the root CA is trusted, and if not, block the connection.   The best way to determine what situation you're encountering is to run a packet capture of one of your user's traffic being allowed. ... View more

Host sweep will detect whenever a source attempts to hit different IP addresses on the same destination port, which if you think of it is by definition internet activity (multiple IP's hit on port 443 and 80). This means that if you enable this protection on an internal Zone with internet access, it is highly likely to trigger FP's continuously for public IP's on the internet on regular internet ports (most frequently 443 and 80). ... View more