About Brandon_Wertz

that's what i need to know.   Many thanks for that. System should not prompt for pw when u try to ssh to HA! port. ... View more

Hello, All the models of PAN even the virtual ones perform this funtion. You will need the Threat PRevent license if you want automatic updates.   Regards, ... View more

@reaper wrote: There wont be a URL log when you only set that action, but you can add an 'alert all' url filtering profile for logging purposes     Yeah...I think this is a big thing for admins to think about...when using the URL category via security policy instead of a URL profile there will be a lacking of those logs ... View more

WCF = Web content filtering --> traffic where URL filtering profiles can be applied ... View more

@aaobuhov, @aaobuhov wrote: Thanks, ShaiW. Good idea.   Creating a separate application for each file mask seems to me not correct. So the set extension isn't staying the same then, or what do you mean by file mask?    The issue with trying to help you build a vulnerability signature with a file that has a renamed extension like this is we can't really do it for you without samples to work with. You need to take a packet capture to see if you actually can build a custom vulnerability signature to match what you are looking for; can a vulnerability signature be built to detect this, absolutely, but we would need a few examples to actually work with.  ... View more

MAny thanks for great info. Much appreciated answering the question ... View more

Hey @Blueearthfoods   As a followup to @Brandon_Wertz message, you need to confirm you have the following User-ID concepts in place.   1. Can the firewall map IP addresses to usernames?   https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-ip-addresses-to-users   2. Can the firewall map those usernames to groups?   https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/map-users-to-groups   If both are met, you can simply build your security policy as you normally would but under the "Source User" you can specify that AD group.   At a high level for your requirement, you would have something like.   Security policy to allow traffic outbound if the source user group is "block level 1", attach the relevant security profiles to the rule to block the "bad stuff" including a URL filtering profile which is blocking the recommended categories: Phishing, Malware, Command and Control etc.   https://docs.paloaltonetworks.com/best-practices/8-1/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles   For the second requirement, you would create a new custom URL category for your whitelist, add all your sites there. Add a new policy to allow traffic if they are going to this URL category for users in group "block level 2" Add a new policy below this policy to block everything from the user group "block level 2"   https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-category-as-policy-match-criteria   Cheers, Luke.   ... View more

The expression you've listed doesn't work the way you're intending.   ([518497|518472|518536]{6})([0-9]{10})   The way a regex works when it comes to square brackets is a list, not a string. Every digit 1-9 is included in the three values you provided (highlighted in red below):  [518497|518472|518536]   So the regex as it's written above is essentially the same as: [1-9]{6}[0-9]{10}   Which is to say that it matches any of the following: 1112221234567890 9999999999999999 5371627591995601   The regex to match what you want may be: 518497|518472|518536[0-9]{16}     That won't work on the firewall though, it needs 7 non-token characters to start the match, and the values you provided are only six characters. Additionally, you added "503441" to your first reply to @Brandon_Wertz so there may be more you're trying to match against.   If you can put some of the actual strings you want to match it may help.  ... View more

@JamesMoffatt wrote: @Brandon_WertzThank you. No not all traffic only O365. ...   Sorry, this currently is not possible with any Palo platform.  You can NOT route based on the "traditional" applications you're wanting to.   You're best bet is to leverage minmeld currently creating an IP address group for what is considered "O365" and route traffic that way, but you can't use for instance "Sharepoint-Online" application as a routing decision. ... View more

I expereinced something similar, not sure if it's exactly the same.  I think if you do a bug scrub there was a bug-id identified for this.   I opened a case a while back on this topic:       Here are the relevant case notes (00935485 - 7/16/2018 - PAN-OS 8.0.10 (at the time)):   "Thank you for the time spent on the zoom session today. Below is the summary: We checked via GUI and we do not see the two CSRs under <XXX>RootCA We loaded older config from July 5th from when the CSRs were generated, and we saw them in the XML file We loaded yesterday's config(596) and that one had the CSRs too We checked current config via CLI, and the CSRs are not there We tried generating a bogus CSR, and that showed up in GUI correctly You mentioned to just go ahead with generating the CSRs again, and we see both showed up correctly today. As discussed, I will now close the case." ... View more