About gafrol

Did not help either. For some reason 429 is not available for download anymore. ... View more

Ok I have deleted the Content Image 429 on the Firewall and hit the Check now button again, not coming down the line anymore ... Something screwed up 429 ? ... View more

I have installed Application and Threat Content Release 429 but I cannot find the Signature....? Anyone else ? I just checked on the Dynamic Updates Website on Support, it's not there.... Withdrawal ? ... View more

Application and Threat Content Release Notes Version 429 Notes: A critical vulnerability in OpenSSL (CVE-2014-0160: OpenSSL Private Key Disclosure Vulnerability) was recently disclosed, affecting servers running OpenSSL 1.0.1 through 1.0.1f. This vulnerability allows arbitrary memory readout, which effectively exposes primary key material and compromises the integrity of the secure channel. To address this vulnerability, Palo Alto Networks has released an emergency content update that provides detection of attempted exploitation of CVE-2014-0160 with IPS vulnerability signature ID 36416 ("OpenSSL TLS Heartbeat Information Disclosure Vulnerability") with critical severity and a default action of block. Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices. If you have any questions about coverage for this advisory, please contact Support. Modified Decoders (1) Name ssl New Vulnerability Signatures (1) Severity ID Attack Name CVE ID Vendor ID Default Action Minimum PAN-OS Version critical 36416 OpenSSL TLS Heartbeat Information Disclosure Vulnerability CVE-2014-0160 reset-server 3.1.0 ... View more

I just tested the same against 5.0.10 --> Not vulnerable ! ... View more

I have tested GP SSL VPN for the heartbleed bug. It seems PANOS 6.0.1 is not vulnerable. ... View more

In the service column of the rule instead of using service "any" change it to "application-default". That should help. ... View more

https://live.paloaltonetworks.com/message/23804 ... View more

Unfortunately this is only working on a per Rule basis. What if one object of a certain rule has never been used but all other objects in that rule have been used ? This rule will be marked as "used" Rule which is only the half of the truth. ... View more

Never use apps alone for inbound connections to your DMZ Server, always use service ports for that. If you use apps only you will open a big hole in your firewall. Maybe I misunderstood your question and your talking outbound from your DMZ Server. ... View more

We use Firemon exactly for this purpose. There are no "onboard" tools available for your requirements ... View more

Absolutely, the main negative feedback we get from customers is due to the slowness of the MP of the 2000 Series boxes. People tend to generalise this slowness to all the PAN Firewalls which leads to a bad reputation in the market. PAN should really do something about it. ... View more

Still running 6.0 since almost two weeks without any problems. Well done PAN from my side ! ... View more