About Brandon_Wertz

So with WMI on it doesn't appear to resolve the auth pop-up issue. ... View more

I had WMI enabled previously, but had a bunch of error logs.  I don't remember specifically but was told from TAC/SE to not WMI, so that's been disabled.  I've gone ahead and enabled it on 2 of the 4.  We'll see what happens there. We've got NTLM/CP enabled but we're doing CP in transparent mode so we should never actually see a true CP auth. Hopefully the WMI query fixes the pop-ups. ... View more

This is where Palo is doing a disservice to it's customer base.  I'm not certain where this premise that "We should only log things that we want to deny" came from.  The firewall is a security appliance.  A device used for usage audit history and compliance verification.  It's annoying when I call into TAC and I get the same spiel from them about "Logging on session start"...well you know that is going to create a lot of logs.  Since when is more information a bad thing?  Using a firewall as it's intended wouldn't administrators need to be able to track back a source of infection?  If we're blocking every malicious thing from the beginning and nothing ever is miscategorized, not caught, or users never do anything bad then sure we don't need to log the "allowed" stuff.  But we live in the real world.  Where things are missed, malware gets by and users don't do what we want them to.  It kind of difficult to triage incidents retroactively when there isn't even a log of the even occurring. Sorry this didn't answer the question (it already has been), but it seems in general more and more comments are about "not logging" to reduce the performance hit or log retention when what should happen is administrators should bake these concerns into the original architecture and deploy a solution taking these concerns in mind. ... View more

I can't keep it straight if using it in security policy either doesn't create a URL log or doesn't allow you to use a URL response page, but I know it's one of them as well. ... View more

6.1.4, but I want to upgrade them to 7.X.X train. ... View more

Is this going to be an issue for all PA-200s? I've looked at some 200s I have any it appears I'm going to run into the same issue with disk space. ... View more

What's the intent of using a URL Category in security policy in conjunction with a URL Profile? ... View more

using them in the rule is a way to get around paying for the service. ... View more

The problem with this though you don't get corresponding URL logs for allows or denies.  I guess it's only a problem if you care to see what's being denied. ... View more

This is actually really simple: 1.  Create a "Custom URL Category" called "DelinquentUsersAllow" or whatever else you wish to name it. 2.  Add the 5 URLs to this category 3.  Create a new URL Profile called "DelinquentUsersAllow" or whatever else you wish to name it. 4.  Set all URL categories in this new URL profile to "block" except for this new category being set to "alert" 5.  Create a new rule in security policy which uses the AD group you wish as the source user, and also using this new URL profile. ... View more

Following what you were asking before: Sending filters that you establish from the threat logs to your syslog SIEM: IE..( subtype eq vulnerability ) and ( threatid eq 34804 ) and ( app eq web-browsing ) and ( action eq alert ) and ( severity eq medium ) and ( rule eq 'OBB -  Alw Guest Netwrk to Inet' ) What would be the point of sending this specifically?  Wouldn't it just be easier to use the native functions within the respective tools?  IE...the "clickable" filtering in the Palo UI and the regex parsing within your SIEM? ... View more

I think maybe his boss is worried about storage retention, just guessing, that's why he's trying to not even send certain ones.  The point of the SIEM though is to have all logs and let the correlation engine decide based upon all possible related information to bring to the front the most relevant logs. ... View more

In the 'Log Forwarding" profile that googol included a screen shot of you can elect which threats you wanted to send to your SEIM/Syslog. Further within the SEIM you can use REGEX to parse the fields and filter exactly the records you're looking for. For instance a "Threat" log with a threat type of "virus" of a "medium" severity can be filtered to either be included or excluded in your SEIM: 2015/07/21 09:49:53,*DEVICE SN*,THREAT,virus,*A BUNCH OF STUFF SEPARATED BY ALPHA NUMERIC CHARACTERS SEPARATED BY COMMAS* ,Virus/Win32.ramnit.aztfn(2022885),any,medium,server-to-client,*MORE STUFF FOLLOWS* Here was a log example from our SEIM.  You'd have to use REGEX to parse through the log message to the relevant fields but you could filter to the log types you're wanting this way as well. ... View more

Are you asking about event correlation?  That's done via a SEIM like ArcSight or QRadar.  Via a syslog profile you can forward the threat logs to a SEIM which in turn will correlate all relevant logs. ... View more