About mivaldi

@puppetjt   The Virus Total link you submitted is for the URL of the installer, not for the file. The file is deemed Benign by WildFire.   The right sha256 for the sample is  f1601b09cd0c9627b1aab7299b83529e8fbc6b5078e43dfd81a1b0bfcdf4a308   The VirusTotal report is clean. https://www.virustotal.com/en/file/f1601b09cd0c9627b1aab7299b83529e8fbc6b5078e43dfd81a1b0bfcdf4a308/analysis/   If the file triggers an Antivirus signature, this is most likely the case of a signature collision. Signature collisions happen when the digital patterns of a Benign file that the firewall looks at to determine a match with a virus signature, coincide with those of a sample that has been determined to be Malware (which includes the possibility of a signature collision with a False Positive).   In this particular case, the Signature Collision is with sample f70870509dc2845e1720e68957f7a159b2cd7a2f69950d4707119f9bd5a6c5cc which is a trojanized version of the 7zip installer. https://www.virustotal.com/en/file/f70870509dc2845e1720e68957f7a159b2cd7a2f69950d4707119f9bd5a6c5cc/analysis/   In general, the recommendation in cases like these is to create an Antivirus Exception in the Antivirus profile tied to the Security Policy matching you traffic. The reason why we can't disable the signature, is because that would mean that we would allow both the Benign installer, and the trojanized version, resolving the problem for you, but exposing everyone else to get infected.   One of the possible counter-measures to this, is to increase the specifity of the Malware signature, to make sure it matches the Malware variant, and not the Benign file. The increased specifity of the signature not always resolves the collisions, but I will give it a try, and come back to you with our results.     ... View more

Please review this article before deciding to implement a Threshold setting.   https://live.paloaltonetworks.com/t5/Management-Articles/Dynamic-updates-scheduled-with-a-threshold-set-but-are-never-or/ta-p/65952 ... View more

Please refer to the following Palo Alto Networks Customer Advisory available at:   https://live.paloaltonetworks.com/t5/Customer-Advisories/Important-information-regarding-Content-Apps-amp-Threats-version/ta-p/173866 ... View more

Reset Client, Reset Server and Reset Both will all send an SMTP 541 message followed by the appropriate resets.   Reference: https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Complete-Action-List-in-Profiles/ta-p/129296 ... View more

You can use the Yoyo lists in two EDL types, Domain and URL. With the Domain type, you can block access to the Ads when there is a DNS query to resolve the IP of the server hosting the Ads. With the URL type, you can block access to the Ads when the host already has a cached IP for the domain, and submits a Client Hello with a matching SNI, or matching the HTTP GET. For HTTPS sessions you need to combine this solution with SSL Decryption to be able to pick up on the HTTP GET message inside the encrypted session.   The way that I implemented this is:   EDL as a Domain list 'Yoyo Ads - Domains': https://pgl.yoyo.org/as/serverlist.php?hostformat=plain&showintro=0&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D=&mimetype=plaintext   EDL as an URL list 'Yoyo Ads - URL': https://pgl.yoyo.org/as/serverlist.php?hostformat=adblock;showintro=0&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D=&mimetype=plaintext   I configured 'Yoyo Ads - Domains' under my Anti-Spyware profile to block:     Note that the drawback of this solution is that the Threat logs will still get filled up with 'Suspicious DNS query' drop alerts for TID 12000000 - I couldn't find a way to create a logging exception.   The next step was to configure a Security Policy that precedes my 'Internet access' rule to block any Client Hello messages containing a matching SNI. This will take care of HTTPS sessions that got as far as resolving to an IP and attempting to initiate an SSL session to the Ad servers in the list. You could remove the checkbox for 'Log at Session End' to reduce logging in the Traffic logs if you're not interested in logging for this.   Finally the last step is, if any clear text or decrypted HTTP makes it through, we block the Ad with URL filtering, which profile is tied to our Internet access security rule.   Note that this should be combined with SSL decryption to extend coverage for encrypted HTTP(S) traffic. To make SSL Decryption effective for Chrome browsers, configure a security policy that precedes these rules to Deny 'quic' traffic.   Finally my Security policy set looks like this:     (The Sinkhole rule ties to the sinkhole action for Palo Alto Networks DNS Signatures in the Anti-Spyware profile, you can alternatively choose to sinkhole your 'Yoyo Ads - Domains', but as a result, that will mix your Traffic log entries for compromised host detection, as both, an infected host, or a host browsing to an advertisement will result in a 'subsequent' connection to the Sinkhole IP - so instead - using block for Ads will help you prevent the unintended Traffic log pollution).   If you have better ways to implement this please feel free to pitch in. ... View more

The best way to blocking bittorrent is to block applications:   unknown-udp unknown-tcp bittorrent qvod   Some bittorrent clients, (like Deluge) use application qvod to evade and download torrents. ... View more

A URL will be categorized as “not-resolved”: • If there is no response from Management-Plane URL DB within 5 seconds (configurable timeout). • If the Management-Plane failed to connect to the cloud and doesn’t have the requested URL in its DB.    https://live.paloaltonetworks.com/t5/Learning-Articles/URL-Filtering-Database-Lookup-Flow/ta-p/62458 ... View more

For GMail you also need to block the 'quic' application with a policy that precedes the policy that ties to the File Blocking profile. Refer to https://live.paloaltonetworks.com/t5/Configuration-Articles/Google-Services-are-Not-Decrypted-when-Accessed-from-Chrome/ta-p/65518 ... View more

Check this one out: https://pgl.yoyo.org/as   EDL as a Domain list: https://pgl.yoyo.org/as/serverlist.php?hostformat=plain&showintro=0&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D=&mimetype=plaintext   EDL as an URL list: https://pgl.yoyo.org/as/serverlist.php?hostformat=adblock;showintro=0&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D=&mimetype=plaintext   ... View more

This photo (message 11) shows you're connecting the modem to the WAN port of your wifi router. It should go to the designated WAN of the firewall instead, Also you don't want to be doing source NAT twice (dont use the WAN port of the wifi router!), let the firewall do the Source NAT. Will also make your life difficult since if you want to open any ports to the outside (DNAT rules), you would have to punch that hole twice, once in the firewall and yet again on your wifi router. And the most crucial, the coax is not connected to the modem 🙂 ... View more

It looks like you spent some time drawing this, awesome diagram! ... View more

One of those cablemodems with integrated wifi, if you want to secure your wifi users you'll need to forget about the modem wifi capabilities and install a separate Wifi router, otherwise all wireless clients will go straight out to the internet through the modem.   The yellow ports will lease RFC1918 addresses on DHCP, so just use any of those ports as a regular non-wifi integrated cablemodem.   Since these also do NAT inside, you will need to enable any port forwarding to the outside. I'd recommend you configure a 'DMZ Host' (forward all TCP and UDP ports to a single IP) pointing to the WAN IP of the Firewall, so no need to worry opening ports twice every time you want to host a service to the outside. ... View more

Why would you point the default route to the wireless, that means your wi-fi won't go through the firewall. In step 3 there are two if statements, you either do one or the other. If you have a cablemodem then it is most likely serving DHCP. Just configure ethernet1/1 as DHCP client and accept whatever default route the cablemodem gives you, no need for manual input of static route.   And remember to restart the cablemodem so that it releases the association to the MAC address of your old device. ... View more

The device you show as your modem is actually a layer3 device doing NAT. If you want to hook up your firewall in Layer3 mode, then the Untrusted network for the firewall will be in the 192.168.0.0/24 network.   It is likely that the modem will give you an IP by DHCP in this network. You could ignore DHCP and set your Ethernet1/1 with IP 192.168.0.2.   Add a default route in your VR making 0.0.0.0 point to 192.168.0.1   Your LAN needs to be a different subnet than 192.168.0.0/24, so make sure you configure a different one in your DHCP server.   If you ever want to make any servers visible in the outside, you will have to configure a double Destination NAT setup, forward first in your modem, or try configuring what they call a DMZ Host (all ports in UDP and TCP forwarded to a single host). The full forward should point to 192.168.0.2 (your firewall's untrust interface in Ethernet1/1). The second DNAT jump is configured in the firewall with a DNAT policy. ... View more