About mhuels

bpappas schrieb: @mhuels: Have you configured the CRL/OCSP options on the Device tab -> Server CRL / OCSP Settings screen? -Benjamin Hi Benjamin, up to now, we did not have configured anything in the CRL/OCSP tab. Since 5 minutes, we have enabled the checking of revocation lists via CRL and OCSP. Testing on https://188.203.119.3, the firewall blocks the ssl traffic (the browsers shows a timeout). Although it would be nicer not to drop but to bring out a security warning or an invalid certificate, this behaviour is tolerable for us. There are not so much diginotar certificates anymore ... Thanks for your hint. Manfred ... View more

Hi Benjamin, since restarting our firewall (running 3.1.10), we see, for example by surfing on https://balie.culemborg.nl/, a "drop-all-packets" in the threat log. But in fact, the firewall does not drop the traffic nor shows any error or warning in the decrypted certificate. So we have the bizarre situation having error hints in browsers without PA firewall (as all browsers have removed the diginotar CA), but no warnings in browsers which are secured by a PA firewall (because all browsers accepts the PA certificate, which is used to re-encrypt the SSL traffic). regards Manfred ... View more

They realeased update 265 to alert on certs with the DigiNotar Root Authority, but its not clear if that removes from the device as well or if a different update is required for the device. Also other CAs are concerned apparently. (german website) http://www.heise.de/open/meldung/DigiNotar-Hack-GlobalSign-stellt-vorerst-keine-Zertifikate-mehr-aus-1338162.html ... View more

I advise all users to read the release notes for each release of content and PAN-OS so that you know what has been addressed by each update you apply to your device(s). Thanks, Benjamin Hi Benjamin, is it a secret, where to find the trusted certificate store on a palo alto system? Why don't you tell the customers simply the method to control the certificate store by themselves? kindly regards Manfred ... View more

Hi Doris, we are updating our PAN application knowledgecontent allways shortly after it will be delivered. So the phenome occurs on all content, i guess (if i do understand your question correctly). Our OS is 3.1.8 and will be updated to 4.0.3 next week. ciao Manni ... View more

Hi Doris, we tested all the mail attachements with one rule. So in this kind of "file blocking" rule, all executables (so called PE files in PA speek = PE -Microsoft Windows Portable Executable (exe, dll, com, scr, ocx, cpl, sys, drv, tlb)) should be detected. The mails were not encrypted, least of all not with SSL. The communication port was tcp 25 = normal emailexchange between a german freemailer and our mailserver. PA detects correctly the application "smtp" in this data exchange. Exe, dll, com, scr, ocx, cpl, drv were detected correctly, sys and tlb were not detected. The relating rule simple says: alert all data files - please look at the attached gif. So a reg or a cmd file should be detected too. But the reg files was detected never, and the cmd file was only detected, if the filename ends with "*.cmd". What makes me very unhappy is, that there is no file logging, although we haved attached some files at an email. In my humble opinion is an attachement very easy to detect, so why did i got no log entry? The PA art of security seems not to be sufficiently in another point of email communication. If i send an email with javascript in his data body, there is no method in PA to detect and block this code (i tried several data patterns in file blocking or data filtering rules and self designed applications or vulnerabilities). Other security engines like mcafee/webwasher or finjan are able to block such code.   Manfred ... View more

Possibly it would be better to log all the unknown files as "unknown files" than to conceal it. ... View more

Hi Doris, PA explicitely declares that they are able to detect the file type "sys" or "reg". But it does not detect this file types, if they are in a mail attachment. Additionally, it should be possible to detect filetypes like "vxd", if PA tries to keep their customer free from potentially harmfull files. Third, it is not a good work, if the PA detects the file type "cmd" only, if the file name ends with ".cmd". regards Manfred ... View more

I tried to set the custom data pattern in a data filtering rule, which did not work. Perhaps PA covers the SMTP header and the data-body in two different matching-machines? If so, i would have to set two patterns. But although ".*(\x3c\x[sS][cC][rR][iI][pP][tT])" has 7 byte, you cannot install it because of beeing too short. ".*(<script)"  and ".*(\x3c\xscript)" are both malformed, "script" has only 6 byte and again would it be not sufficient for this case. ... View more

pattern-match -> smtp-resp-content does not works. ... View more

Perhaps the easiest way should be to put something like www.unwished.com   www.yourcompany.com in the /etc/hosts of your DNS-Server. Another way could be to configure a redirection in your squid proxy - if existing. The "unknown-req-udp-payload" pattern matching in a PA spyware custom signature is not to very promising. The "Data Filtering" pattern matching looks only to files, and only to a few types of them. ... View more