About Brandon_Wertz

Official notice and sticky thread here   https://live.paloaltonetworks.com/t5/General-Topics/Panorama-Certificate-Expiration-on-June-16-2017/m-p/150948#U150948 ... View more

I think this might be what you're looking for.     ... View more

All of the required certificates are in the appropriate certificate store.   Without talking abouot Firefox, my main concern is dealing with IE since this is our corporate browser.   I still can't deploy SSL decryption, because the visual aspect of the browser bar is significaly different when the SSL decryption is enabled. As you can see from my first post above, with IE it's likely there is no secured session established despite the fact that SSL decyption is enabled... ... View more

yes, a PE file could be in 4 zips deep if sent over a plain connection, but a docx only 3 because the docx itself is encoded, the transport layer itself also counts so if it's sent over http chunk encoding you could only go 3 deep for the PE or 2 for the docx   once the number of levels is exceeded, the file blocking profile (and per extention WildFire) would only see multi-level-encoding and act upon your policy to allow or deny, but no longer forward ... View more

Main article with details on TLS and HTTP evasion is available at: https://live.paloaltonetworks.com/t5/Customer-Advisories/Information-regarding-TLS-HTTP-header-evasion/ta-p/76562   The inclusion of DNS proxy ensures that the client will receive exactly same server IP address that the firewall has resolved. There are three possible scenarios:   1) Client does not send a DNS requests and connects directly to the IP with specific SNI header on Client Hello request. Firewall performs a lookup on the domain in SNI header and if the IP address returned by DNS server matches destination IP of clients request, the traffic will be passed, else it will trigger evasion signature. 2) Client sends DNS request directly to external DNS server and subsequently connects to the IP address that was returned by the server with corresponding SNI header. Firewall performs a lookup on the domain in SNI header and if the IP address matches, the traffic will be passed, else it will trigger evasion signature. Note that firewall's and client's DNS requests are independent, and thus each can have a different IP address returned. This is common for large, cloud-based websites (Google, Facebook etc.) that use this for load-balancing purposes. 3) Client send DNS request to DNS proxy on the firewall. Firewall performs DNS lookup and sends client the IP address returned by DNS server. In this case client and firewall have received same IP address for the domain and therefore the subsequent connection from client will match the IP with the SNI header (the result from DNS query is cached on the firewall and no further lookup is necessary). Traffic is therefore allowed.   For associated Suspicious HTTP Evasion Found feature the mechanism is the same, except the lookup is done for Host header in HTTP request instead of SNI. ... View more

Hey all; so i've been looking through this and it appears that all of my weird entires are from fqtag.com, and it's only listing the last section of the URL which is why it looks so god awfully weird. I've open a case to see why it's doing this and not showing fqtag.com/whatever so we can at least verify what domain they are going to.  ... View more

Here is the CERT report outlining the issues when settting up corporate decryption and not mentioning any specific vendors.   https://www.us-cert.gov/ncas/alerts/TA17-075A   Would be a good exercise to have a best practices document for how PA could follow these recomendations. ... View more

A quick and dirty way to know if an object is in use is to delete it. You can click on the first entry and shift click on the last one to select all the objects. If an object is in use, it will not be deleted (an error message will appear). You can then preview the changes to see what is actually not used. Make sure you revert to the running config after doing that! Also, you coworkers might freak out when they see you do that.   Benjamin ... View more

@jhickey  If this drive only needs to be available on that specific subnet?  If that is the case, can you just assign a static ip address to it without a default gateway and dns setting ?   You may want to check with your internal IT security team as well.  What is the risk to your company?   ... View more

@reaperthanks for clarification on the databas   @BPryhalf truth on my part. I know where you're coming from, that's called job security for me. nobody reads error messages or how to use google if they do. but truth is that in my environment, there's never a commit without warnings (of course if you don't address them, they won't go away), so that I have warning fatigue. On the rare occassion there's a failure, it usually takes me 2 or 3 commits to even notice. but when I do notice them, I do read them. promise. ... View more

A mail account could have shown indications of compromise this past weekend, but unauthorized access could have occurred well before you first obseved malicious behavior.   It's not a stretch that Palo's AV/WF sigs reacted to traffic originating from your enviornment just a few weeks prior to any observed activity. ... View more

@gwessonyou are correct we could just change the service to any but this is a security comprimise as we do have multiple application in this rule.   The reason we are using application default is we need to specify the ports to adhere to our security requirements.   @OtakarKlieryou are also correct as we currently have rules to allow these applications over port 443 but these rules are becoming cumbersome to manage.   Update also I am told these 2 feature requests might be the fix. FR ID : 2636, this is to dynamically update the port information and allow the traffic. FR ID : 3914, Ability to Clone an existing App-ID (not custom) and change name and ports.   Anyone else want to get their SE to put in a vote for these? ... View more

Thanks Kiwi for the clarification.  Agree...The changes in 7.1 where the "reason for end" which illustrates certificate issues as well as features like this which give greater visibility to admins in the GUI is always a good thing. ... View more