This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About bstapleton
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About bstapleton
08-18-2015
8Posts
4Likes
1Solution
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by bstapleton
| Subject | Views | Posted |
|---|---|---|
| 1508 | 09-18-2012 07:29 AM | |
| 2988 | 05-23-2012 05:03 PM | |
| 1611 | 05-23-2012 09:09 AM | |
| 3041 | 05-23-2012 08:50 AM | |
| 3028 | 05-22-2012 11:32 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 05-23-2012 09:09 AM | |
| 1 Like | 08-03-2011 06:45 AM | |
| 1 Like | 08-04-2011 08:29 AM | |
| 1 Like | 09-18-2012 07:29 AM |
User Badges
Community Statistics
| Member Since | 02-11-2011 12:48 PM |
| Date Last Visited | 08-18-2015 09:07 AM |
| Posts | 8 |
| Total Likes Received | 4 |
09-18-2012
07:29 AM
1 Kudo
Hey johnd, We're in the same boat. We get many vulnerability hits internally of the same type as yours. The thing to do seems to be to open a case with PAN support for each vuln. It's best to start with the ones that are blocking traffic rather than just alerting you. Then, IMHO, go for the ones that are most annoying and are most easily reproduced. PAN support will most likely ask you to reproduce the alert with packet capturing on and to add the files or other data to the case that's being transmitted when the vulnerability is identified. The end result may be surprising. We generated a case because traffic between our Microsoft SCCM servers and their clients generated many thousands of 40026: SSL Renegotiation Denial of Service vulnerabilities. We did the packet captures and submitted file samples. PAN support came back and said that, yes indeed, this is vulnerable traffic. There seemed to be no more recourse with PAN support; we could then go to Microsoft to see why they're transmitting vulnerable traffic as part of their protocols. In the end, we decided to keep the Microsoft SCCM servers running as they were and supress the alerts on the Palo Altos.
... View more
05-23-2012
05:03 PM
Wow - that's a lot of constituencies. Hopefully, you'll find some commonality in the applications and subcategories that you allow and block between the constituencies so you can group the applications easily. One other thing I thought of for dependencies: we created groups for applications that have tons of them. For ms-rdp, for example, we created a group called ms-rdp_suite and included netbios-ss, netbios-dg, etc. etc.
... View more
05-23-2012
09:09 AM
1 Kudo
You should see log entries including attempts to make connections in Monitor-->Logs-->System To test a IPSec tunnel, from the command line on the PA, clear vpn ike-sa gateway <name of IKE Gateway in Network-->Network Profiles-->IKE Gateways> clear vpn ipsec-sa tunnel <name of IPSec tunnel in Network-->IPSec Tunnels> test vpn ipsec-sa tunnel <name of IPSec tunnel in Network-->IPSec Tunnels> We've only encountered bug #39844 in PAN-OS version 4.1.5.
... View more
05-23-2012
08:50 AM
We're able to work out dependencies by looking at the errors and adding the dependent applications to our allow groups. It seems we don't have the complexity regarding time of day that you do. Our rule structure is this: deny Block groups allow Allow groups and Allow subcategory filters deny Block subcategory filters The key is that the Allow subcategory filters and Block subcategory filters never include each other's subcategories, but added together contain all subcategories. Adding rules for allowing applications for off-hours depends on how much of the application structure changes policy for off-hours. If the differences are just a few apps, I would put a scheduled rule like "allow Allow off-hours groups" before the first rule called deny Block groups. If I wanted to allow a few subcategory filters for off-hours, I would consider copying the entire structure and placing those rules above the current structure: deny Block off-hours groups allow Allow off-hours groups and Allow off-hours subcategory filters deny Block off-hours subcategory filters deny Block groups allow Allow groups and Allow subcategory filters deny Block subcategory filters
... View more
05-22-2012
11:32 AM
We use application filters based on subcategory. When deciding to allow or block a subcategory, we ask ourselves: if Palo Alto created a new application definition that you haven’t heard of before and added it to the subcategory, should it be allowed or blocked? Then we create application groups for the exceptions in a subcategory. We have about 200 exceptions in our application groups currently.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks