This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About claudec
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About claudec
02-08-2023
22Posts
11Likes
3Solutions
Feb 08, 2023Last Visited
User
Activity
User
Profile
Latest posts by claudec
| Subject | Views | Posted |
|---|---|---|
| 4052 | 02-26-2021 08:24 AM | |
| 4107 | 02-24-2021 02:39 PM | |
| 3868 | 02-15-2021 09:15 AM | |
| 3901 | 02-15-2021 06:43 AM | |
| 4465 | 11-24-2020 07:52 AM | |
| 4949 | 09-15-2020 11:57 AM | |
| 7805 | 09-15-2020 07:45 AM | |
| 7858 | 09-14-2020 07:22 AM | |
| 5197 | 08-10-2020 04:46 PM | |
| 2682 | 07-29-2020 02:20 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-14-2020 07:22 AM | |
| 1 Like | 02-15-2021 06:43 AM | |
| 1 Like | 02-26-2021 08:24 AM | |
| 1 Like | 02-24-2021 02:39 PM | |
| 1 Like | 02-23-2017 04:25 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 01-27-2015 05:38 PM |
| Date Last Visited | 02-08-2023 11:46 AM |
| Posts | 22 |
| Total Likes Received | 10 |
02-26-2021
08:24 AM
1 Kudo
Hi, That is correct..if you want to perform an exact match on the period character and do not "escape" the period then the system will interpret it as the regex token "." which means "match any character".
... View more
02-24-2021
02:39 PM
1 Kudo
Hi, If you are using a text string you need to escape the "." because it's a regex token. For example: Edg/88\.0\.705\.63
... View more
02-15-2021
09:15 AM
I don't think it's possible to configure a custom threat signature using the "unknown" protocol decoder that will inspect every packet for the entire duration of the flow. There are some improvements to the threat inspection process in PAN-OS 10 and so if you can run that version you might try using the "udp context free" decoder for your custom threat signature to see if there is a difference. Note that use of this context will incur a significant performance penalty.
... View more
02-15-2021
06:43 AM
1 Kudo
Hello, You can enable CTD inspection for the custom app by enabling "scanning" in the advanced tab of the signature. Regarding the negate condition in custom threat signatures, there are some restrictions. One is that it can not be the only match condition. At least one non-negate condition must be included. Also, if the signature scope is "session" the negate condition can not be the last match condition.
... View more
11-24-2020
07:52 AM
Be aware that this byte pattern could possibly match anything that uses the swarm protocol, not just WUDO.
... View more
09-15-2020
11:57 AM
2 Kudos
Hi John, You are correct in that versions prior to 10.0 you can not write a custom signature against a known application unless the decoder for that protocol/context is "exposed" in the user interface. In 10.0, there is more flexibility, including a "context-less" signature that may meet your requirements. Be advised that there can be performance penalties when using these expanded capabilities. More info here: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/content-inspection-features/enhanced-pattern-matching-engine.html#iddc51c078-bc5c-4c95-bba4-dd5763f2b549
... View more
09-15-2020
07:45 AM
The only way to block a file by hash is if you have Cortex XDR on the endpoint. One feature that might possibly help is the new MLAV feature in PAN-OS 10.0. Here is the information: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/wildfire-features/configure-wildfire-inline-ml.html#id45b7dbdd-c5a8-4bd9-b5a9-abf07e3ccf37
... View more
09-14-2020
07:22 AM
1 Kudo
Unfortunately you can not create a custom threat signature based on a file hash. At least some of the hashes you reference already have Anti-Virus signatures. You can investigate signature availability at threatvault.paloaltonetworks.com. If you have the actual sample you can submit it using the wildfire portal so a signature can be generated. If you are a Cortex XDR customer, you can black list the file hashes on your endpoints.
... View more
08-10-2020
04:46 PM
1 Kudo
Sounds like maybe you have route asymmetry. The path from your test VM subnet to the on-prem networks is routed through the VM-series in Azure but what about the return traffic? Typically you need to have UDRs in the gateway subnet route table that routes traffic from on-prem networks to protected VNET resources via the VM-series trust interface. It is also common to explicitly route the on-prem networks in your protected resource subnets and not rely on the default. Lastly, when you are using a dynamic routing protocol between on-prem and the VNG you need to be mindful of potentially unwanted route propagation to the various VNET subnets that would allow flows that should be inspected to unintentionally bypass the VM-series. Hope this helps.
... View more
07-29-2020
02:20 PM
1 Kudo
The secondary/floating IP is configured on the active firewall only. The IP moves to the passive firewall during a fail-over event. The VM-Series admin guide has the details.
... View more
07-14-2020
06:23 AM
For your outbound flows, you can just configure a Panorama based NAT policy that uses a source translation that references the egress interface. If for some other reason a NAT policy needs to be different on each firewall in the LB pair you could just use rule targets.
... View more
07-02-2020
07:39 AM
1 Kudo
There is already an out of box App-ID for IPSEC NAT Traversal..."ipsec-esp-udp". If the App-ID engine is already detecting this traffic as this App-ID, then you can not write a custom signature for it because there is no exposed decoder for this protocol. If the firewall is detecting the traffic as "unknown-UDP" then there would be an opportunity to possibly use a custom App-ID. While you can use regex in an App-ID signature, you still need a 7-byte anchor.
... View more
06-14-2020
08:36 AM
That is correct. The only time, I recall, that the firewall will see the original, un-translated public destination IP is when you front end the firewall with a public standard load balancer and enable the "floating IP" option. In that configuration, you do reference the public IP associated with the load balancer in the NAT policy of the firewall. It wasn't clear from your original post that you were attempting to use the public IP in your NAT rule so sorry for that assumption on my part. When you associate a public IP to a private IP in Azure it handles the NAT. That is why you don't need a public IP configured on the management interface of the firewall, just like you don't need a public IP configured on the un-trust interface.
... View more
06-13-2020
03:14 PM
Traditional HA is not typically the preferred solution for high availability in the cloud. That said, even with a traditional HA config, the public IP is not configured on the firewall. The interface IP addresses are from the directly connected subnets, including the IP that acts as the "floating" IP when the firewalls fail over. The "floating" IP is a private/static IP defined in azure and configured as a secondary interface IP on the firewall. A public IP is then associated with this "floating" private IP in Azure.
... View more
06-13-2020
12:00 PM
The public IP should not be defined on the firewall. The firewall interfaces should be configured for DHCP and have static assignments from the trust/untrust VNETS. You can optionally have the firewall learn the default route via DHCP or configure it statically.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-08-2023
11:46 AM
|
Latest Tags
No tags yet
Likes From
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks