About Indorama_Ventures

Indorama_Ventures · ‎05-31-2018

Thanks, it appears I need to go through a local reseller in the Netherlands. I cannot create a case directly. This is cumbersome for just submitting a sample. Thanks for helping me out here. Much appreciated! Remko

Indorama_Ventures · ‎05-31-2018

I got my self a PCAP file. Thanks for pointing me in the right direction. Now need to find where to upload it for analysis. Not been able to find this yet. I noticed I can also exclude this particular finding but perhaps better to wait for the verdict of Palo Alto

Indorama_Ventures · ‎05-31-2018

I may have found something https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-Enable-Packet-Captures-on-Security-Profiles/ta-p/56449

Indorama_Ventures · ‎05-31-2018

Thanks... My apologies for being a bit blond here.. Bit of a newbie I guess. 🙂 How would I go about sending the PCAP to TAC for analysis. Never done this. Have no idea were to go and where to begin.

Indorama_Ventures · ‎05-31-2018

Dear Palo Alto experts..., We have various systems in our LAN seperated by our Palo Alto firewall. In the last 24 hours the firewall detected 2.7K times the virus "Virus/Win32.WGeneric.rktkq" The systems are scanned for inventory by two programs. Spiceworks and PDQ inventory. The scan server is on one side of the firewall. The other servers are on the other side of the firewall. The "Spiceworks" server has been scanned by our Kasperksy AntiVirus solution. No detections here. What could be causing this? And if it is a false positive, what would the next path forward to solve this problem? Any thoughts you might have are very welcome. Remko

Indorama_Ventures · ‎12-12-2017

It is part of the Anti Spyware module. The default action is alert so I changed mine to "reset-both"

Indorama_Ventures · ‎11-01-2017

Also found the solution how to decrypt a site that is in a category that should not be decrypted. Problem solved. The Crypto sites are now succesfully blocked.

Indorama_Ventures · ‎11-01-2017

I have found how to block this in the AntiSpyware profile. It appears that for many of the AntiSpyware actions the default setting is alert. Even for some of the critical ones. Not sure why this is but I will play around with the settings to see if this can be set to block. Unfortunately there is an additional challange. This site is SSL encrypted and although there is SSL decryption enabled on the firewall, the site itself is classified as "Financial Services" which is excluded from SSL decryption due to regulations. So if I find the solution on how to decrypt the site, I should be able to block this. Thanks,

Indorama_Ventures · ‎10-31-2017

This week I noticed a "CoinHive Javascript Detection" in the logs of our Palo Alto. When reading on the subject I noticed that there are websites around that use Javascript to start mining Crypto coins on the users' computer. https://live.paloaltonetworks.com/t5/Community-Blog/Unauthorized-Coin-Mining-in-the-Browser/ba-p/183457 Detailed description can be found here : https://researchcenter.paloaltonetworks.com/2017/10/unit42-unauthorized-coin-mining-browser/ I noticed in the Palo Alto blog that : PANDB is able to block URLs hosting Coinhive JavaScript. My question: How does one actually block this? When I visit for example https://coinhive.com/ and push the button "Start Mining" the CPU goes up to 100%.

Indorama_Ventures · ‎09-20-2017

I have been playing with this some more and managed to get things working. I created a ROOT certificate and two user certificates based on this ROOT certificate. The user certificates have a Common-Name the same as there LDAP login username. I created an extra tunnel, portal and gateway on a different external IP address and created a public DNS record. On the Portal and Gateway I enabled a certificate profile which has the ROOT certificate defined and in the Username Field: Subject Then I tested the connection without a user cert. The connection failed as expected with the warning that no valid certicate was found. When I imported the Certificate of User "A" the userfield on Global Protect was automatically entered and greyed out. The same when I delete the certicate of User "A" and import User "B". So I believe that I got what I want. Thanks for pointing me out in the right direction! I can tweak the settings some more to for example use SSO with the Windows Credentials. Then the user does not need to enter his password for the second time. This seems to also work as expected.

Indorama_Ventures · ‎09-19-2017

Learning something new everyday 🙂 I was not aware an extra license was required. So I need to create a new portal and a new gateway. Will give this a try. About your remark please also note that if using cert auth along with with LDAP, leave the "username field" in your cert profile as "none". I want to have a certificate for each individual user. Basically as shown in this YouTube Tutorial from PaloAlto. So the user needs to have the correct LDAP credentials and must be in possesion of a valid name based certificate. Would this be possible?

Indorama_Ventures · ‎09-19-2017

I do have the luxery of extra IP addresses so I should be able to create a second gateway. Although I have not done this before I should be able to copy some settings from the existing gateway. The initial set-up was done by a consultant. Let me give this a try. Thanks for your thoughts on this.

Indorama_Ventures · ‎09-19-2017

Hi, I am currently investigating the possibily to add an extra layer of protection on our GlobalProtect Clients. Currently LDAP authentication is used but I want to add an extra layer on top of this by using a certificate handed out to each user. As we do not have that many clients I figured I might as well have the PaloAlto Firewall hand these out. I would like to have a intermediate solution where I can test this first. Do I need to set-up an extra gateway to accomplish this? If I would enable a Certificate Profile on the current gateway then all my users will be blocked as they do not have a certificate yet. I noticed that I cannot have two gateways on the same IP adress. What would be the best approach for this? Remko

Indorama_Ventures · ‎03-14-2017

Thanks both for your answers. We will plan a maintenance window to update both firewalls to their latest version. Any recommendations to which version? I noticed that version 8.0.0 has been released recently. Would it be wise to stick with 7.1.8 for now? Remko

Indorama_Ventures · ‎03-13-2017

Hi guys, We wittnessed a very strange phenomenon this morning. First we received a call that our VPN gateway was not accepting any VPN connections. At the same time we received calls that certain websites were not accessible. These websites had in common that they were SSL encrypted. We have 2 PA-500 firewalls with a HA configuration. SSL decryption is enabled for certain networks (workstations). SSL decryption uses a different certificate than our VPN gateway. Both certificates are valid. As soon as we turned off SSL decryption, the VPN gateway started to accept connections. When we turned SSL decryption back on we noticed that some websites were decrypted while others were not. The sites that were not decrypted should have been decrypted. They were not in the "Do-not-Decrypt" list. To be certain the firewall was doing the job right, I deleted the certificate cache on my browser. I also visited sites that were SSL encrypted which I had not visited before. We are a bit puzzled what happened here. Currently we have SSL decryption turned off but would like to have it on again. The PA-500 is a few software versions behind. Currently on version 7.1.2 I have tried to find anything related in the release notes of the newer versions that might indicate a problem with our current version. I was not able to find this. Any ideas what might be going on? Remko

Member Since	‎07-12-2016 06:49 AM
Date Last Visited	‎10-03-2024 09:55 AM
Posts	42
Total Likes Received	7

Online Status	Offline
Date Last Visited	‎10-03-2024 09:55 AM

About Indorama_Ventures

Re: "SMB: User Password Brute Force Attempt detected" on share that is not being accessed

Re: "SMB: User Password Brute Force Attempt detected" on share that is not being accessed

Re: "SMB: User Password Brute Force Attempt detected" on share that is not being accessed

"SMB: User Password Brute Force Attempt detected" on share that is not being accessed

Re: Credential Phishing Protection troubleshooting

Re: Credential Phishing Protection troubleshooting

Re: Credential Phishing Protection troubleshooting

Re: Credential Phishing Protection troubleshooting

Re: Credential Phishing Protection troubleshooting

Re: Clientless VPN (Web) and SSO credentials

Global Protect - Traffic interrupted while still showing connected

Re: Firewall intercepts Virus between networks. False Positive???

Re: How to block Crypto Miner (javascript)

Re: Scanning AntiVirus through SMB

Re: How to block Crypto Miner (javascript)

Re: SSL decryption & not working VPN

Re: SSL decryption & not working VPN

Re: Scanning AntiVirus through SMB

Re: Firewall intercepts Virus between networks. False Positive???

Re: Firewall intercepts Virus between networks. False Positive???

Re: Firewall intercepts Virus between networks. False Positive???

Re: Firewall intercepts Virus between networks. False Positive???

Firewall intercepts Virus between networks. False Positive???

Re: How to block Crypto Miner (javascript)

Re: How to block Crypto Miner (javascript)

Re: How to block Crypto Miner (javascript)

How to block Crypto Miner (javascript)

Re: How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication

Re: How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication

Re: How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication

How to migrate GlobalProtect from LDAP authentication to LDAP + Cert authentication

Re: SSL decryption & not working VPN

SSL decryption & not working VPN

Unlock your full community experience!

About Indorama_Ventures