This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About apackard

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
apackard
‎08-30-2020
since ‎09-23-2010
L4 Transporter
User Activity
User Profile
Latest posts by apackard
View All
User Badges
Community Statistics
Member Since ‎09-23-2010 09:13 AM
Date Last Visited ‎08-30-2020 02:59 PM
Posts 138
Total Likes Received 11

Re: "Stupid" Custom URL Filtering Question

by in General Topics
‎10-15-2012 11:20 AM
‎10-15-2012 11:20 AM
Thanks - this is what I thought - is this 'behavior by design'? However, as I understand it this means that if I add:- acme.com *.acme.com and they add a new tier:- bypass.www.acme.com then it won't match my filters and will be allowed, and I'll need to add:- *.*.acme.com Seems a bit cack-handed - and reactionary - when all I want to do is say - block "ACME"..! ... View more

"Stupid" Custom URL Filtering Question

by in General Topics
‎10-15-2012 10:37 AM
‎10-15-2012 10:37 AM
If I want to block all derivations of "acme.com" in URL filtering how should I format the domain in my blocklist/custom blocking category? If I add "acme.com" then that doesn't appear to match "www.acme.com", but if I add "*.acme.com" then it doesn't match "acme.com" (although it does it that redirects to another URL such as www.acme.com). Ultimately I wan to be able to say I am blocking ALL traffic associated with a specific domain with as few repeated entries as possible! Cheers ... View more

Re: AD Groups in Firewall Policy - Inconsistent Behaviour

by in General Topics
‎10-10-2012 09:16 AM
‎10-10-2012 09:16 AM
I've just got a little further forward. My PA's are in HA pairs and it looks as if maybe only the active device will update the GUI etc to make the new groups visible. As (in the scenario I have at the moment) the passive PA is the one set as the master device for that group in Panorama, it looks as if Panorama won't make it available in the policy section either.  I have just switched the master device to the currently active PA and now I can select the newly mapped group in the Panorama policy, and push to the HA pair. Not sure if the policy will work properly on the (currently) passive box if it is promoted to live though.... Or - it was just luck that the GUI decided to update at the time I was testing that scenario! ... View more

AD Groups in Firewall Policy - Inconsistent Behaviour

by in General Topics
‎10-10-2012 09:03 AM
‎10-10-2012 09:03 AM
I have two issues with managing firewall policies when using AD groups; running 4.1.7 - so am using the 'on-hardware' group retrieval rather than the PAN Agent. 1) When adding new groups to be mapped they do not appear in the GUI i.e. cannot be selected for a policy from the 'drop down' selector.  This will usually fix itself after a random amount of time - hours or days (and this occurs even when, using the command line interface, I have confirmed that the group is being populated and tracked by the firewall using the show users groups name command etc). 2) The Palo policy UI seems to randomly display the groups (and users) in either AD format or X500(?) format i.e. sometimes it uses acme\auser and othertimes it uses cn=auser, ou=users, o=acme This occurs both on the PA firewalls and our Panorama install. It's annoying more than anything, as we can usually work our way round the issue, but understanding why it doesn't behave consistently would be a bonus! Rgds ... View more

stunnel download triggering Virus/Win32.WGeneric.bpzq alert

by in General Topics
‎09-26-2012 05:16 AM
‎09-26-2012 05:16 AM
Has anyone using a Palo had need to download stunnel and, if so, did it trigger a Virus alert for Virus/Win32.WGeneric.bpzq? Would like to confirm that the download has not been compromised before I bypass this alert - and I'm assuming it's not just been marked as 'grey-ware' as I would have expected a more definitive alert based on the application itself. Rgds ... View more

Re: File "Block" page showing when file "Block and Continue" set

by in General Topics
‎08-31-2012 02:03 AM
‎08-31-2012 02:03 AM
Thanks very much.  Unfortunately the generated HTML does not have the layout Javascript etc so cannot be used as a template for the response page itself. I also dropped a line to our PSE at Palo and he has recommended using the URL Continue template as an alternative, so will try and base a replacement on that. Thanks again for your help though. ... View more

File "Block" page showing when file "Block and Continue" set

by in General Topics
‎08-30-2012 10:48 AM
‎08-30-2012 10:48 AM
I have an issue where I have set a 'Continue' action in a file download profile, but the file Block page is being shown instead. There is a article on here saying to reset the relevant Response Page setting, but that does not work as the page being shown is still the Block page (and when exporting the HTML from the Response Page tab it shows that it is using the Block HTML). Can someone post the default 'File Continue' HTML inc the Javascript object so I can manually import this and see if this can be fixed by forced over-writing of the incorrect HTML for this response type? Thanks ... View more

Re: Blank Threat Description

by in General Topics
‎07-30-2012 08:04 AM
‎07-30-2012 08:04 AM
I've re-created and it's slightly better - we get correct display on the firewalls themselves but not within Panorama (despite the fact that everything was created in Panorama!). ... View more

Re: AD User Identification lost on random clients. Sophos V10.x to blame?

by in General Topics
‎07-30-2012 08:01 AM
1 Kudo
‎07-30-2012 08:01 AM
1 Kudo
Do you have Server Sessions monitoring enabled on your agents? I found that this caused similar symptoms to what you describe - apparently if the agent returns a different username from a 'session scrape' to that maintained via the AD logs it 'resets' the mapping to blank (in effect it cannot conclude which one is the valid mapping so clears both and waits for an updated mapping to be setup). I still have some issues with lost mappings, but disabling this feature certainly stopped a lot (for us). ... View more

Re: Blank Threat Description

by in General Topics
‎07-20-2012 01:58 AM
‎07-20-2012 01:58 AM
Hi, 1)  I'm 99% sure that the custom signatures have worked - can't be 100% as it's been a while, but I'm as sure as can be.  I can't guarantee the specific viruses that are displaying properly have displayed previosuly, but can say that most viruses are showing. 2) Yes, we've had a few upgrades in the past 12 months, but I can't remember what version we were running when the custom sig's were made. Rgds ... View more

Wildfire Malware Domain & Palo-Alto Malware Domain Do Not Agree

by in General Topics
‎07-16-2012 06:21 AM
‎07-16-2012 06:21 AM
Has anyone who has been using Wildfire encountered a case where a piece of Malware identified via the WF assessment has had the following in the summary: "Malware came from a malware domain" where the applicable URL category returned by Palo (Brightcloud online URL lookup) does not recognise it as a malware hosting domain? I assume that the different services use different backend databases - but it's a bit annoying that there is a 'signature' (URL) available that would have prevented the download in 'one hand' that isn't being made available to the other hand! ... View more

Block and NOT Alert

by in General Topics
‎06-06-2012 06:17 AM
‎06-06-2012 06:17 AM
Is there any way of blocking an attack (threat) but not logging it? By this I mean I have some attacks that I want to drop but don't really want to get spammed in the logs because they are just 'noise' as far as I'm concerned. ... View more

Blank Threat Description

by in General Topics
‎06-06-2012 04:30 AM
‎06-06-2012 04:30 AM
I'm running Panorama 4.1.6 and am getting threat entries in the logs with no name/description (the attack id is simply repeated in the name field). This is mainly for custom threats (they do include real names and descriptions in the custom objects), but I also have some 'factory' signatures - viruses - doing the same. My Threat/App packages are all up to date, and the custom signatures were created on Panorama and shared to the PA devices. Anyone know of any known causes of this? Cheers ... View more
Labels:

Re: UserID present on Agent but not Palo Firewall

by in General Topics
‎06-02-2012 04:14 AM
‎06-02-2012 04:14 AM
Stefan, That is the issue - the agent *does* have a mapping, but the PA itself does not pick it up (even though it does for the other 500 odd accounts being tracked).  It is transient issue, so its not the host IP, or the account itself, it just sometimes doesn't get reflected accurately. Will prob have to raise an official support call, but was looking for any hints first in case there are known scenarios when this may happen. Rgds ... View more

Re: Detecting Flame exploit

by in General Topics
‎05-30-2012 05:30 AM
‎05-30-2012 05:30 AM
My answer to that question is currently - "Unless we have offices in the Middle East I'm unaware of, are politically active in Middle Eastern politics, or could otherwise be the target for 3 letter acronym Western intelligence agencies, I do not believe Flame is a present threat - unless/until the code is re-worked by cyber-criminals and deployed for other means"...! ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎08-30-2020 02:59 PM
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks