About jambulo

I'm on 3.1.7, but I think I found my answer... (Link removed, Issue fixed in 3.1.9) ...clearing the cache fixed it. ... View more

Does not work.  The vulnerabilities in question are already set to "Alert" as its default Action.  BUT, it does not get forwarded because it has a non-configurable severity set to "Informational". skrall wrote: It looks like you can not change the severity for Vulnerabilities in 3.1 but you can change the default action. OBJECTS tab >> Security Profiles >> Vulnerability Protection Click  "New" to create a new profile. Name the profile. Describe the profile (Optional) Set "Rule Type" = Custom Steve Krall ... View more

Is there any way to change the "Severity" of threats? Looks like Brute Force Attempts are set to "Informational".  Now QRadar doesn't receive any Brute Force Attempts.  There's probably other threats defaulted to "Informational" that I may need to change. ... View more

Good to know that all URL traffic is set to "informational".  QRadar not being able to receive "informational" threats is better than QRadar receiving Alerts for every single URL accessed.  Thank you for your help! ... View more

The reason I need to seperate the profiles into two different rules is because we are forwarding the logs to our Central Log Manager(QRadar).  I set the first rule for just URL Filtering Profile on 80/443, and to "Alert" on allowed sites(I set to "Alert" so I can keep a log in Palo Alto of all the allowed sites).  On this rule, I do NOT forward logs to QRadar.  If I do, all of the allowed sites show up as "offenses" because they are set to "Alert" in PaloAlto. I then set up a second rule below this first to run the AV, Spyware, etc. profiles on 80/443.  This rule does forward logs to QRadar.  BUT, I've been noticing all traffic on 80/443 skips over this second rule after it hits the first rule.  I'm not sure if there's any other way to do what I need... ... View more

TLK Support wrote: If you are talking about the URL Filter set them to "Alert" instead of "Allow" Then they are logged under Monitor - URL Filtering Regards Marco I've actually tried this, but our SIEM(qradar) does not like it.  It will send all allowed sites to qradar as an Alert, which ultimately generates a lot of false offenses.  Also, that method won't show me sites that I specify in the "allow list sites".  I don't understand why we can view allowed sites in the ACC, but not anywhere else. ... View more

I was just about to start a topic on this.  I can confirm this issue.  The scroll bars are missing in other tabs as well.  You can not scroll through the logs in the monitor tab. ... View more

I don't have a specific example yet, It was a question that came about from curiousity.  Instead of checking the logs every now and then, I thought it would be a good idea to be able to be notified of a particular threat(s) as it happens.  Not just all the ones that fall under the same Severity level. edit: Here's an example.  It would be nice to be notified when Palo Alto detects a user using any kind of "remote-access" application as it happens. ... View more