This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About mrsold
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About mrsold
08-18-2015
37Posts
0Likes
0Solutions
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by mrsold
| Subject | Views | Posted |
|---|---|---|
| 6272 | 02-11-2015 05:25 AM | |
| 6272 | 02-10-2015 01:55 PM | |
| 6450 | 02-10-2015 11:56 AM | |
| 7233 | 10-24-2014 09:45 AM | |
| 7233 | 10-24-2014 09:18 AM | |
| 8028 | 10-24-2014 05:29 AM | |
| 4409 | 09-26-2014 10:12 AM | |
| 4409 | 09-26-2014 09:52 AM | |
| 2806 | 09-26-2014 09:45 AM | |
| 1975 | 09-22-2014 01:18 PM |
User Badges
Community Statistics
| Member Since | 05-16-2011 09:00 AM |
| Date Last Visited | 08-18-2015 09:07 AM |
| Posts | 37 |
02-11-2015
05:25 AM
dyoung wrote:
Hi mrsold
It will only relay for one subnet.
The interface address used to relay the DHCP request (and therefore determine which DHCP scope will be used) is the IP address at the top of the list on your IPv4 tab.
You can adjust the positioning of IP addresses on this tab using the move up/down options should you wish.
Regards,
Dave
Thanks dyoung - do you know if this is documented anywhere?
... View more
02-10-2015
01:55 PM
bat wrote:
mrsold
Could you please explain your query in more detail ?
I think DHCP requests will be accepted for both networks and will be forwarded to DHCP server ?
If I have both of those IPs on the interface, and I have scopes built for both of those networks, does it relay to both of those subnets? Wait until one is exhausted and there is no response?
... View more
02-10-2015
11:56 AM
Greetings, Say we have an interface that is configred the following way: e1/2.240 Tag: 240 IPv4 Address (two addresses on the interface): -10.10.100.1/24 -192.168.100.1/24 Now, if that interface is configured as a DHCP relay, which network is it going to send in the relay request?
... View more
- Tags:
- dhcp
- dhcp-relay
Labels:
- Labels:
-
Configuration
-
Networking
10-24-2014
09:45 AM
HULK wrote:
Hello mrsold ,
There should be a continuous 7 byte string.
Examples
-> pattern -> a -> regex ' abc [ abc ] {3 } abc . *abc' is invalid.
-> ' abc . {3 } abcdefg . *abc' ----is valid >>>>>>>> 7 byte
-> foo . *bar . *foobarfoo (invalid)
-> foo . *fooba (valid)
Hope this helps.
Thanks
Ah yes, the continuous is a very important part. Thanks!
... View more
10-24-2014
09:18 AM
HULK wrote:
Hello mrsold ,
A Pattern must be at least 7 bytes. In the entire pattern there must exist at least one 7 byte string that has fixed values.
Regular expression syntax for patterns in custom app signatures
Thanks
Thanks Hulk. Am I counting wrong? I thought that string I posted is at least 7 bytes.
... View more
10-24-2014
05:29 AM
Hey everyone, I'm attempting to build a pattern match for a custom vulnerability. Here are the criteria: File is always a random 24 character file with a '.exe' extension First three characters are always 'e54' I had the following regex built, but the PA doesn't like it for some reason. (e54([a-zA-Z0-9]{21})\.exe) It gives me some invalid character internal error. Any thoughts?
... View more
- Tags:
- regex
09-26-2014
10:12 AM
HULK wrote:
Hello mrsoldner ,
As per my understanding, action is taken based on the different severity level of that virus. If that virus is having typically very little impact /or no impact on an organization's infrastructure. Then the action will be set to "alert".
Thanks
HULK could you clarify? My antivirus decoder for SMTP is set to "alert" for WildFire and Threat however I am seeing Virus blocks for SMTP traffic.
... View more
09-26-2014
09:52 AM
hshah wrote:
Hello Mrsoldner,
Every virus signature has different severity. You can find that information from following link. Select type as a "virus".
https://threatvault.paloaltonetworks.com/
You need to feed either virus name or ID.
Regards,
Hardik Shah
Thanks hshah - I've never seen a severity included with a virus though which is why I'm puzzled. For example: ID: 3088393 The threat vault just calls it a virus. It came in via SMTP (which by default, the action is alert) however in the logs it shows it was blocked. Just making sure I fully understand.
... View more
09-26-2014
09:45 AM
James@PANW wrote:
Hi APackard,
Or you can go for an ID between 3 and 4 million in a report. Remembering that WildFire signatures will end up in the regular AV ID range (between 2 and 3 million - well 299999 to be precise) once processed for customers with a threat license.
Good Luck!
Just for clarification on my part. A threat ID'd by WildFire in the 3mil+ range is changed to a regular threat value after it's rolled into the standard 24-hour update?
... View more
09-22-2014
01:18 PM
I realize that as of me writing this, PA has ~123 variants of *.crilock.* registered. Is there a way to report on vulnerabilities by name rather than ID? It would be nice to be able to publish a report saying, "Our PA stopped CryptoLocker this many times" without having to build a custom report with 123 different threat IDs.
... View more
- Tags:
- cryptolocker
- reports
Labels:
- Labels:
-
Content-ID
06-18-2014
08:38 AM
Thanks Hulk. So I'm assuming the hash associated with "file.exe" is hashed and subsequently blocked by WildFire / Threat Prevention - obviously if that same malware were to be packaged in a different exe, say "file1.exe" the process would have to start over... -Mike
... View more
06-18-2014
06:12 AM
Have a question about the functionality of WildFire. Here is the scenario (assume we have a WildFire subscription so we are getting updates every 30 minutes): User gets an email to download "file.exe" at 0800 This hash does not match anything and is sent up to the cloud for analysis. Analysis confirms this file is / has malware - it has not seen this malware before so a new signature is generated - lets say for arguments sake it turns it around fast and is updated at 0830 Another user comes in at 0900 and gets the same email with the same link to the same file and clicks the link ... Will the PA stop that user from downloading that file?
... View more
02-10-2014
07:26 AM
All, So, just a possible silly question about the order if you will of response page activation - specifically around the Application Block and the URL Block. Per the documentation: Application Block Page: Activated when application access not allowed by policy and blocked. URL Filtering: Activated when blocked by URL filtering policy. So, is it reasonable to assume that these pages would be blocked in order of policy enforcement or should I say whichever hits first? If I have a policy rule that is blocking the application "Hootstuite" for example and in that same rule, I have it in my URL policy that *.hootsuite.com / hootsuite.com is also blocked, my assumption would be that the URL policy page would hit first. Would this be correct? Edit: One other addition for clarification. Say I have the application block page enabled. I go to one of my default block rules for a VPN client, so it looks something like this: 1. Permit VPN user to Server via ms-rdp (no URL filtering policy enabled) 2. Deny VPN user any any Currently, if that user tries to use any other application it will just not work. Am I understanding correctly that once I enable the application block page, they will be presented with it?
... View more
09-17-2013
07:20 AM
So, we are (slowly) transitioning our devices to 5.x code to fully utilize the templates via Panorama. One of the items I was looking into transitioning is the local admin account. However, from my testing, I don't know that this is possible. We have a 90-day password rotation on all our passwords so we need to change that admin password as well. Currently, we have run a job out of Solarwinds, but I was trying to see if this could be accomplished via the template. The good news, is that it lets me create the admin acount and it pushes it down via the template. The bad news is that when I try and revert the admin account from local to use the template I get the error: 1- Failed to revert Administrators - admin. Administrator not allowed to delete own account Is it even possible to administer that default admin account via the template? I can think of a couple ways to try and work around it, but before I go too deep, I just wanted to float it to the community. Thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-18-2015
09:07 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks