Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About marcelocampos
About marcelocampos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Tuesday
9Posts
0Likes
0Solutions
Sep 15, 2020Last Visited
User
Activity
User
Profile
Latest posts by marcelocampos
| Subject | Views | Posted |
|---|---|---|
| 256 | 2 weeks ago | |
| 465 | 4 weeks ago | |
| 413 | 08-18-2020 10:45 AM | |
| 459 | 08-18-2020 09:08 AM | |
| 770 | 08-11-2020 08:28 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 2 | |||
| 1 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 02-28-2020 07:18 AM |
| Date Last Visited | Tuesday |
| Total Messages Posted | 9 |
2 weeks ago
good day community, I have an incident due to the execution of an excel file that contains macros. According to the verdict and its hash the file is not a threat. My question is the following which is the most suitable method to allow the execution of said file? In the incident analysis window, right click on the allow list process or generate an exclusion? what is the difference? Best regards
... View more
4 weeks ago
Hello, @vsys_remo. I update the resolution of my problem, effectively I had to create 2 custom app id signatures, with the necessary patterns and parameters so that the traffic is identified as the custom app. After confirming that the traffic is identified, continue generating the policies before the general flow of mail traffic. Just a question, I actually see the queries pass to the app customized by the new rules, but I also see traffic pass with an incomplete app, this is a problem? Is it traffic that is specified? I understand that after the three-way handshake, not enough packets pass through to identify the application, but is it still traffic to the tcp / 25 port that is being allowed? But functionally speaking, the pishing scenario is already productive, I greatly appreciate your collaboration and help. Best regards.
... View more
08-18-2020
10:45 AM
Hi, @BPry You have helped me a lot, with the explanation now it is clear to me! Thank you very much!
... View more
08-18-2020
09:08 AM
hello community, I have a question that I have not been able to solve with the study material and it keeps breaking my head. Here it goes, when I generate an application-based security policy, for example from "trust" 10.xxx to "untrust" any with app anydesk specification (with the ssl dependency), I see the corresponding traffic between the internal lan and the destination on the internet corresponding to anydesk is fine, but here comes the doubt, I see traffic to other addresses by ssl but the record indicates that the application is incomplete (understanding that after the 3-way handshake there is no more packets) can I assume that traffic is not establishing a session and that the policy is doing its job of accepting "ANYDESK" and denying everything else? As long as the application output is incomplete, that traffic is not being established even though the traffic log indicates allow?. And the last one, when I configure a security policy towards any internet, only specifying the application and its dependencies, am I opening a communication flow towards any destination according to the applications and dependencies? example a conection ssl to microsoft destination can forward by the policy maked for anydesk? Thank you in advance for your guidance and clarification.
... View more
08-11-2020
08:28 AM
Hello @vsys_remo , thanks for you help. According to what I understand and what I have investigated, the issue of the custom application is not clear to me, how is it configured? since the traffic is smtp tcp / 25. What differentiates it from normal smtp? and how is the bypass performed so that wildfire in the firewall does not analyze it?. Thanks!. Best regards.
... View more
08-10-2020
02:54 PM
Good day! community, I have a question, what treatment is given to executables that are signed as weak hash? I understand that cortex XDR will block its execution. Can it be excepted considering that it is a utility software? The hash is unaltered and WF's verdict is benign. What things should I verify or take into account as best practices to expedite the investigation and take actions on the alarms. Thanks in advance. Best regards.
... View more
08-10-2020
10:28 AM
Good day @vsys_remo As you indicate, effectively remove the security profile in the perimeter vsys, but after a new review I realized that there is another context that participates in the mail communication flow, a virtual context called vsys datacenter (internal servers). Regarding the custom url filter, add the urls with the wilcard *. before the domain in order to allow everything associated. It may be that with the discovery of the participation of the vsys datacenter context in the communication flow is the reason for the inconvenience. Similarly, is there a way to empirically diagnose if it corresponds to wildfire or pan db URL?
... View more
08-09-2020
03:35 PM
Hi @vsys_remo , I'm not sure if it's the pan db url filtering or wildfire. The truth is that it performs the exercise by removing the security profile sends to wildfire from the security policy, keeping the custom url filter in the policy, to allow the urls of the pishing testing tools (smartfense). Even so, the emails are still being analyzed by IP of palo alto. our mail flow is: load balancers (untrust) -> vsys perimetral fw - trendmicro antispam (dmz zone) -> on-premises exchange server (trust). the tests were done by removing the wildfire security profile in the untrust -> dmz policies and dmz -> trust zone. I stay tuned, I appreciate your help.
... View more
08-08-2020
10:40 AM
In my company we are generating authorized pishing test scenarios to test users who compromise their assets when interacting with pishing links in their emails, for this we want to collect information and statistics on who opened the email, clicked on the link and / or entered personal information. To then generate awareness campaigns. The tool used is called Smartfense, we previously tested with Cofense but we had the same result. The problem is that the links contained in the emails are previously analyzed by the PAN DB URL, which corrupts the test results generating false positives. The data of our corporate firewall are: Model PA3250 S.O version 9.0.9h1. Inbound security policies were configured allowing in the policy a customized url pointing to the url of the Smartfense tool, according to the information released by the tool manufacturer. Even so, the links continue to be analyzed. Has anyone had the same problem ?, I remain attentive to your kind help. Regards.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Tuesday
|
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
