About Lucky

Hi,   just to let you know - I checked, my idea with custom app won't work - it will not override settings of the default decoder. Scratch that and talk to PAN SE or TAC.   Best regards Luciano ... View more

Hi,   I did not know the answer to that question above and I passed answering (thanks Torm! for response) but I have two cents to add: - you should avoid setting up agent on AD server itself, - you can always install additional copy of Windows server and forward domain security logs to it, and install agent onto it - to get dedicated Windows machine for agent. This helps to avoid stress to "regular" servers with large environments and lots of users, it is easier to deploy extra host just to serve for AgentID.   Best regards   Luciano ... View more

Hi Iweltag,   I am glad advice still had some value 🙂 ok, so it will work with ms-office. I would think it should work with docx but "your mileage may wary" depending on the particular docx and perhaps of what it embeds, so I would still go for ms-office filetype. If this creates a problem for you (for example, you wanted exclusively docx forwarded but not the rest) you should still open the case with TAC.   Best regards Luciano ... View more

Hi Walt,   I am just looking at your diagram, and I am thinking you should be able to use Layer3 trunk as the interface, and than create sub-interfaces per VLAN to control the traffic of particular vlans.   That's how I am running my lab, a bit smaller configuration in terms of devices but I am basically connecting with Layer3 untagged interface to my trunk port, and than I have L3 sub-interfaces with VLAN tags and IP addresses that are effective gateways for VLANs in virtual environment, that way I am using full bandwidth of the interface and just doing logical routing with VLANs and Virtual router inside.   Combining L2 and L3 interface configuration per interface is not possible, but there are plenty of other solutions - sixtuplet that is used to evaluate session does NOT include interface: what matters for session matching are IP addresses, ports, zone and protocol. So, as long as your packets match those six items does not really matter what interface they came in or went out through. Another thing is that L2 does not offer the best inspection and visibility into traffic, you should always try to have L3 interfaces and inspection rather than L2 or vwire/tap inspection.   Best regards, Luciano ... View more

Hi Iweltag,   I was going to respond to your message but than did not have firewall with lesser PAN-OS than 7.x to check if I am correct 😕 sorry I didn't, I feel like coming late to the party now. Anyways:   I think you could either add zip filetype or ms-office (not sure if that exists as such in 6.x) along with .doc filetype; fact is that there is a big difference in fileformats where .doc is closed file format and if I remember well should have magic number "D0C F11E" - doc file; while docx is actually an archive containing more files and you can open office xlsx or docx and such files with unarchiver app.   I would try adding doc and zip filetypes to your file blocking profile to check if that will work, and if you have ms-office try that filetype as well instead of any. Otherwise, if docx was selectable but not working as expected I would open a case with TAC to check and to bring the issue to their attention.   Best regards Luciano ... View more

Hi Admin,   as you properly noticed, if it is not listed in official documentation "should" is the best you will get 🙂 However, in practice, I have not experienced any major issues and I do import configurations very often (load configs from one device into another, non-matching models, for either a quick look or for replication). There was a discussion with a bit more detail on hw upgrades and problems, shared here, explaining what might break, why, and what to do in such case.   As 3020 has more interfaces than 500, as long as you match all software updates and content versions, you should not see any problems, I would be suprised if you did. Problems I personally saw were almost always 2k or 4k into something else (as old boxes have more interfaces) or 5k into VM, or when importing multi-vsys configs into single-vsys devices, and I imported...lots of configurations 🙂    If you get stuck, let us know what happened or open a TAC case - you will hopefully have some time to test it and not merely hours/minutes to replace them. In the worst case, you can always open TAC case in advance and submit tech support file from your PA-500 asking TAC to check if they can import it without problems into their lab 3020 device.   Best regards, Luciano ... View more

Hi,   For what it's worth, I think your signature is mostly valid but it has some extra spaces and it also should probably escape brackets, I am not completely sure what are you trying to match, do you need brackets or not? Anyways, that is regex-wise; for PAN-OS you are failing to meet another requirement: Problem you are seeing is that for any custom signature, you have to have at least 7 bytes of fixed string that must be fixed; so no regex can be used WITHIN those 7 characters / bytes. You can use regex together with that anchor, but you must have a 7-byte anchor.   I really don't have any pop3 service running or configurable to test this with, but there MUST be some string in email header that you can grab for this? (I still am not sure if my proposal works as I can't test it)   What I would try - I would set: 1. custom but simple application for pop3, as explained, just defining tcp/110, 2. simple vulnerability signature catching onto fixed string, something like "subject", 3. make an exception in all existing vuln profiles for this signature (you don't want it catching everything and anything before you test it!), 4. create new vuln profile (that does not have this in exception), 5. create new security policy applying only to sender/receiver of email, using custom app, using vulnerability protection profile from step 4 (only one that does not have new vuln profile in exception list)   This way, you will start with very simple signature and work out if this works at all, if it does, than you can perhaps share with us how your headers usually look so maybe we can together find some 7-byte string that would work better.   Best regards,   Luciano ... View more

Hi Luca,   I work for the TAC, and I just searched active cases - don't see a fresh case where someone asked for update of this signature / application. Now, your mileage will be better if you request signature update compared to response time if I request update of the signature - it is always better to have "real" customer asking for it, it will get better attention, that is why I encouraged reporting this issue through the case 🙂   (some disclaimer of liability: There are more than few internal employees visiting forums and helping, but all support provided here is on voluntary basis, for any "official" support or "official" responses anyone should always open a TAC case :)) )   Best regards,   Luciano ... View more

Hi apike, welcome to community forums.   I am not completely sure but I am thinking this might help: you need to work around of Rick's comment because he is right; why don't you try creating custom app "myPOP3" and define it for port tcp/110; thus you will override built-in decoder for pop3 because custom apps should kick in first and disable further lookup therefore chance exists your vuln sigs will trigger now?   Or just create a custom app for your condition (perhaps in the whole session) and block that app. You have an explanation here how to create signatures for the session (part of base signature creation).   Can you try and let us know what was your mileage?   Best regards Luciano ... View more

Hi, Mitre,   You are welcome. This seems to be a problem, occasionally, not just for you 🙂 I have to take a deeper look into it next week again, FF specifically, and I will report if I experience some bigger problems.   Best regards   Luciano ... View more

Hi Luca,   seems to be off, at least judging by the quick look into my house logs - I can't find fresh whatsapp-voice and it was used for sure. It is probably change on the side of whatsapp; if it matters to you business-wise I would report it through the TAC case.   Best regards   Luciano ... View more

Hi Alex, welcome to community forums.   There is an article in the knowledge base that shows how to configure Global Protect, and it notes: "To authenticate devices with a third-party VPN application, check "Enable X-Auth Support" in the gateway's Client Configuration. Group Name and password must be configured for this setting."   While I have not tested Windows phone personally, I would try with built-in client or with something from the app market if built-in client does not work. Try to configure it and let us know if it doesn't work what are errors you are receiving.   Best regards, Luciano ... View more