About Cap

Ok so I'd really like to skip the part about why my organization does this and get to the part about what should I be concerned about... Our PA is set up to block many many many URL's using URL Filtering, just as you'd expect any org to do, but there have also been many Data Filtering regex signatures created solely to block URLs as well.  Often times the regex expressions are created by someone who wants a URL blocked but only has permissions to create vuln signatures and not URL filters. I don't want to go into the local "reason" for this, but my question for the experts is: what sort of performance impact can this cause? They are also using this style of signature to kill the DNS query for these URLs, so that's as many as two data filtering sigs for each of these URLs that are being blocked via a "work around". If there are say, a few hundred of these regex signatures that exist to simply block domain names found in http headers, will this cause a hit to PA performance? What about as that list of signatures grows? What other concerns should I have about this method? I'm pushing my org to stop misusing the data filters this way and to rely solely on the URL filtering function, but lets just say there's a lot of red tape involved. Going into it with some smart information might help my argument. ... View more

Curious if anyone else is working on or looking for a signature for this vuln: NVD - Detail DoS vulnerability brought about by a bug in OpenSSL. Is PAN working on a signature by chance? Details: The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition. ... View more