This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About nigelswift

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
nigelswift
‎08-18-2020
since ‎01-31-2017
L4 Transporter
User Activity
User Profile
Latest posts by nigelswift
View All
User Badges
Community Statistics
Member Since ‎01-31-2017 07:12 PM
Date Last Visited ‎08-18-2020 11:38 PM
Posts 85
Total Likes Received 25

Re: Adding a new firewall to existing log collector group via API

by in Automation/API Discussions
‎04-12-2019 11:36 AM
‎04-12-2019 11:36 AM
Hey Jason, if you want to just reply here with the xpath and element that we were able to determine was working for the call in case anyone else comes along and is looking for the answer. ... View more

Re: Request to whitelist: Outbyte PCRepair

by in VirusTotal
‎04-12-2019 10:39 AM
1 Kudo
‎04-12-2019 10:39 AM
1 Kudo
Just got confirmation that the previous hashes have been changed to a benign verdict. I'm taking a look at the new samples you provided now and will let you know whether they get submitted or not shortly after I analyze them. ... View more

Re: Adding a new firewall to existing log collector group via API

by in Automation/API Discussions
‎04-12-2019 10:30 AM
‎04-12-2019 10:30 AM
Hey Jason,   Good on you for pulling the debug. Usually good info.   For configuration calls, we use the type=config calls. For setting configuration, we'd use action=set. The call to actually pull the config for log collector group is below.   /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/log-collector-group At this point I don't have a lab set up that I could directly test this against to actually get the syntax we need to set, but if you have some time I was able to get your contact info from our internal support site and would be happy to reach out if you have an opportunity to test a few calls with me on a call. If not and just the call above is sufficient and you'd like to figure out the rest on your own, that's fine as well. Let me know, it should be a pretty quick thing assuming you have management access to the Panorama. ... View more

Re: port scan and flood traffic

by in Threat & Vulnerability Discussions
‎04-12-2019 09:58 AM
‎04-12-2019 09:58 AM
Are you referring to DoS/Zone protection? If so, I would assure you've made consideration for what your thresholds (alert, activate, maximum) are set as. As these triggering based on amount of traffic based on protocol. For zone protection, this would be for the ingress zone and for DoS protection it would apply to whatever matches your DoS policy.   Generally I like to set a relatively low alert and a relatively high activate/maximum thresholds, and then scale up the alert until your normal network traffic is no longer triggering an alert.   Keep in mind that whether you're using RED (random early drop) or SYN cookies, the percentage of traffic that is "actioned" scales linearly between activate and maximum. So if my activate is 10,000 and my maximum is 20,000, each increase in 100 connections per second (1% of the difference between 20,000 and 10,000) is going to cause the firewall to action 1% more traffic.   The document below is a personal favorite and goes pretty far into depth on our coverage as a whole. The section you'd be interested in for floods is near the beginning of the document.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOGCA0 ... View more

Re: Request to whitelist: Outbyte PCRepair

by in VirusTotal
‎04-11-2019 02:39 PM
1 Kudo
‎04-11-2019 02:39 PM
1 Kudo
Thanks for supplying the hashes in question. I have submitted these for further review and we will follow up accordingly as to what the verdict will be. ... View more

Re: policy rules hit count from API

by in Automation/API Discussions
‎04-04-2019 04:30 PM
2 Kudos
‎04-04-2019 04:30 PM
2 Kudos
It's pretty easy, just typing in "debug cli on" will enable the debugging. It's only persists for your SSH session, so you won't have to worry about turning it off if you're using the CLI for other things and don't like the extraneous output, just do it when you actually want to see the calls. ... View more

Re: Block VPN for School Students

by in Threat & Vulnerability Discussions
‎04-03-2019 05:28 PM
‎04-03-2019 05:28 PM
I imagine these are mostly web-based if they're a plugin. Beyond enforcing what plugins users could install outside the firewall, you could use URL filtering to specfically allow the sites necessary. Additionally alerting on all categories and then blocking what you'd like to accordingly is also an option.   There are various app-ID's for different VPN's like you've described if you know specifically what you're trying to enforce that you could also leverage. ... View more

Re: API call for virtual router run time stats

by in Automation/API Discussions
‎03-28-2019 04:30 PM
1 Kudo
‎03-28-2019 04:30 PM
1 Kudo
So the context switching would apply to operational API commands that would normally appear on the firewall. So instead of making the API call to the firewall, as you mentioned you provide the target serial number and the Panorama then forwards and returns to you the output of the operational command.   As far as to a UI view that shows runtime stats specifically, that wouldn't be what the API would be used for. However, there are commands that would show the routing and forwarding table which you can then leverage for the targeted redirection. They aren't presented in a UI as you see in the runtime though.   Those calls would be: /api/?type=op&cmd=<show><routing><route></route></routing></show> and /api/?type=op&cmd=<show><routing><fib></fib></routing></show> ... View more

Re: API call for virtual router run time stats

by in Automation/API Discussions
‎03-28-2019 03:41 PM
‎03-28-2019 03:41 PM
Most of this info is reflected somewhere in the API. What specifically are you looking for? ... View more

Re: Cobalt Strike Potential Command and Control Traffic(18927)

by in Threat & Vulnerability Discussions
‎03-28-2019 10:58 AM
‎03-28-2019 10:58 AM
We haven't seen any reported at this point. ... View more

Re: Sw.js, Hipobject.js,rapidworker.js logs generating in Palo alto firewall

by in Threat & Vulnerability Discussions
‎03-28-2019 10:53 AM
‎03-28-2019 10:53 AM
Would you mind sharing your case number here so I can make sure it's assigned to the right group and that we can get this moving forward? ... View more

Re: False Positive Removal Request

by in VirusTotal
‎03-27-2019 03:25 PM
‎03-27-2019 03:25 PM
Just a heads up just got confirmation the sample is now correctly showing as benign. ... View more

Re: False Positive Removal Request

by in VirusTotal
‎03-27-2019 10:40 AM
‎03-27-2019 10:40 AM
Hey Bob,   Apologies for that. I've submitted the change request. Let's see if we get one more and I'll see if I can investigate further as to why this keeps happening. ... View more

Re: Sw.js, Hipobject.js,rapidworker.js logs generating in Palo alto firewall

by in Threat & Vulnerability Discussions
‎03-27-2019 10:33 AM
‎03-27-2019 10:33 AM
Do you happen to have a copy of the emails in question? Would you be able to open a support case with a category of Threat so that we can investigate this further? ... View more

Re: policy rules hit count from API

by in Automation/API Discussions
‎03-25-2019 03:17 PM
1 Kudo
‎03-25-2019 03:17 PM
1 Kudo
I believe this is an issue with the syntax being used. I did notice this command is not as well documented as some of the others, especially considering it takes additional arguments such as the rule name. This includes the API browser and the XML API guide.   What I ended up doing is using "debug cli on" from an SSH session to the firewall and then performing the command in question. Specifically the output from this that is helpful looks like this: <request cmd="op" cookie="2010229745062995" uid="500"><operations><show><rule-hit-count><vsys><vsys-name><entry name='vsys1'><rule-base><entry name='security'><rules><list><member>Trust-to-Untrust</member ></list></rules></entry></rule-base></entry></vsys-name></vsys></rule-hit-count></show></operations></request> From this, I know what I'm looking for is in between <show> and </show> (this pattern should be consistent for all operational commands, specific to whatever word is in the beginning of the command for instance "request ..." would be different). This piece is the cmd argument of your API call.   Tying this all together, a call for a specific rule called "Trust-to-Untrust" would look like this:   https://IP_ADDRESS/api/?type=op&key=APIKEY&cmd=<show><rule-hit-count><vsys><vsys-name><entry name='vsys1'><rule-base><entry name='security'><rules><list><member>Trust-to-Untrust</member ></list></rules></entry></rule-base></entry></vsys-name></vsys></rule-hit-count></show> where the rule name could be swapped where you see "Trust-to-Untrust". Tested this in my lab and it is working as expected.     If you have any other issues with this particular call, feel free to reply here and I'd be happy to take a look. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎08-18-2020 11:38 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks