About NGS_SOC

NGS_SOC · ‎05-19-2015

access route 192.168.0.0/24 is a simple one and goes to split tunnel 192.168.0.0/24 and 172.16.0.0/24 are more complex access routes and goes to tunnel everything

NGS_SOC · ‎05-19-2015

Split tunnel on IPSEC is working but only if the networks are simpler enough. For examples if access routes are 192.168.0.0/24 and 172.16.0.0/24 this goes to full tunnel. Technical limitation probably will never fix. Cisco IPSEC are stuck only to 8 hours and other IPSEC flavors (IPSEC on MacOSX) have even worst timeout.

NGS_SOC · ‎05-19-2014

Hi, seems your are working with a External Block List or DBL Dynamic Block List, which is not working as expected. Maybe these links can be useful for your installation. Configuring Dynamic Block List (EBL) on a Palo Alto Networks Device Working with External Block List (EBL) Formats and Limitations

NGS_SOC · ‎05-19-2014

You cannot redirect known user to captive portal, CP is only available to unknown IP/User mapping. There are several ways to force domain credentials ( for example explicit login via script, exchange/shared folder/printer accesses etc) but in my option the best way to always keep user-if mapping during the ip lifecycle is the 802.1X & syslog integration within new PANOS 6.0.

NGS_SOC · ‎05-19-2014

Hi, Cisco's tunnel group and group policies cannot directly migrated into PA Global Protect gateway. The rule is a single PSK/CERT group per GP gateway, once you need more a new gateway has to be created. In Cisco vision the use of multiple vpn-group was done to segregate traffic in layer3+ pool containers, using PA and its user identification, always present in GP, you can achieve the same security level with only one gateway (and related tunnel group) with a bunch of security rules based on User-ID.

NGS_SOC · ‎10-09-2013

Hi to all, in My Devices > Request Licenses appeared, in the last few days, a new "Decryption Port Mirror (requires PAN OS 6.0.0 or higher)" . Is anyone able to explain what is about? Probably I have to wait till end of the year new PANOS 6.0 but a sneak could be appreciate. Thanks

NGS_SOC · ‎06-16-2013

tnx mikand, great comment, as usual I've spent some hours with my country SE and I have a officiaL answer to my AET question, in addition they give me some additional commands to test against stonesoft's evader attack. I'll try them within this week and I'll post my comment

NGS_SOC · ‎06-15-2013

thx... damned platform specific bug 🙂

NGS_SOC · ‎06-15-2013

It's better that you open a support case as soon as possibile. I haven't see a behavior like this and maybe your app-id engine on 3050 is not working properly. Even if you have right over youtube changing better warn the support, so the developer team can take countermeasures.

NGS_SOC · ‎06-15-2013

welcome in the 7 bytes world 🙂 gwesson has right your pattern should works fine with Pattern = "ddostheinter\.net" Pattern = "directedat\.asia"

NGS_SOC · ‎06-15-2013

If you need allowing a domain with its subdomain you must allow them domain.* *.domain.* *.*domain.* *.*.*domain.* etc This works for web-browsing, if the traffic is ssl you need to terminate it (decryptin) in order to gain full compatibility. If not only the domain.* is visible. In case of known application (as dropbox) I suggest you not to use Url, use application identification, always go beyond Url Profile.

NGS_SOC · ‎06-08-2013

Hi everybody, last week I had a Stonesoft engineer in my lab demonstrating their techniques of exploit attack via AET. I tested my PAN NFR units (PA-200 & PA-2050) with IPS license last update, together with other vendors IPS units, protecting 2 pretty vulnerable client (one win xp sp2 the other ubuntu 6.04) . The result scared my quite a bit. Known exploits are blocked once sent in clear way, but when a subset of AET was run under script the catch rate was quite bad, less than 10% with the highest IPS policy in place. Here the link to Stonesoft attacker that one can freely test: Evader | Stonesoft Evader Last AET discussion in this forum is pretty old, end of 2010, and I would like how PAN handles nowadays these kind of sophisticated traffic obfuscation, carrying malicious payload. I know that patching the client solve the problem but the same oparation could be done with client with no patch software available and IPS are meant to handle such situations. Regards

NGS_SOC · ‎06-08-2013

In a 4.1. installation I use this pattern User-Agent:.Mozilla/*.*(Firefox/*)

NGS_SOC · ‎06-08-2013

Hi, except from DNS-proxy another way to accomplish this is using U-turn NAT configuration Source Zone: Trust-Zone Dest Zone: Untrust-Zone service: dns (53tcp +53udp) Source : Your internal network Dest: External Dns server IP (ie 8.8.8.8 google) Source translate: dynamic-ip-port (PAT) of your internal firewall interface Dest translate: Your internal DNS server IP Also you need a permit security policy from Trust-Zone to Trust-Zone The drawback that you need a NAT entry for every external dns server, but if you verify which ones is mostly used I think that 10 rules could match 90% of your dns external requests.

NGS_SOC · ‎05-26-2013

https://live.paloaltonetworks.com/message/15865#15865 Be aware that only owa connection can be used, due to Exchange limitation there is no POP3 or IMAP user connection information.

NGS_SOC · ‎05-22-2013

[Debug 374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed. It seems that domainY\userZ was not previously inserted, maybe not in that form. Via show user ip-user-mapping all are you sure to see domainY\userZ ? Maybe is like domainY.com\userZ and this is a different string causing me in the past some troubles.

NGS_SOC · ‎05-20-2013

From PAN-EDU-201 v.5 rev A MOD 4 APP-Id slide 26 PAN-OS implicitly allows parent applications for a set of commonly used applications Requiring that dependencies be allowed in order to enable an application can often allow more traffic than intended. For example, enabling access to web-browsing just to allow facebook-base allows users to browse other sites, requiring the administrator to configure other policies to regulate this access. PAN-OS addresses this concern by implicitly allowing dependencies for a set of commonly used applications to streamline the security policy process. Implicit permissions of a parent application are only handled if there is no match with an explicit rule. The complete list of implicitly allowed applications can be found in Appendix B of this manual. Appendix B Allowed Application • software-update apps • business-systems apps (e.g., erp-crm, storage-backup, sharepoint) • web-mail apps, IMs, social-networking Implicit >> web-browsing Apps identified in rpc decoder with a specific program ID (e.g., mount, nfs, portmapper, ibm-clearcase) Implicit >> rpc Apps identified in msrpc decoder with specific UUID (e.g., ms-exchange, active-directory, arcserve) Implicit >> msrpc msrpc Implicit >> ms-ds-smb ms-ds-smb Implicit >> netbios-ss Apps identified in rtsp decoder based on uri path in first request message (including custom apps) Implicit >> rtsp Apps identified in rtmp decoder based on uri path in the first request packet (e.g., bbc-iplayer) Implicit >> rtmp, rtmpt Media streaming apps (e.g., napster, megavideo) Implicit >> flash ms-rdp, msn-remote-desktop Implicit >> t.120 Apps identified based on SSL hello or certificate in the response. Ssh can remain in both uses-apps and implicit-uses-apps Implicit >> ssl yahoo-voice, gtalk-voice, msn-voice, msn-video, facetime Implicit >> stun several IM apps Implicit >> jabber gotomeeting, gotomypc, gotoassist Customer is not expected to understand internals about Citrix ICA/Jedi Implicit >> citrix/citrix-jedi Never allowed unknown udp/tcp, I hope this could hlep

NGS_SOC · ‎05-18-2013

I'm trying to import logdb coming from a PA-2050 to a smaller devices like VM-100, PA-200 or PA-500 but without any luck. Has anyone successfully tried this operation? The command scp import logdb from ... seems ok but in the end no data is shown under Monitor > Traffic page. Importing the exported logdb into the same units, after a factory reset, works fine and data are displayed so exporting operation is not the issue.

NGS_SOC · ‎05-18-2013

I quote what is reported in PANOS v.5 release note: Application Dependency Enhancement – For some protocols, you can allow an application in security policy without explicitly allowing its underlying protocol. This support is available if the application can be identified within a pre-determined point in the session, and has a dependency on any of the following applications: HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS. Custom applications based on HTTP, SSL, MS-RPC, or RTSP can also be allowed in security policy without explicitly allowing the underlying protocol. For example, if you want to allow Java software updates, which use HTTP (web-browsing), you no longer have to allow web-browsing. This feature will reduce the overall number of rules needed to manage policies. This means that few applications can use this enchantment and you never allow unwanted applications. Be aware of how PA recognize application: for example application facebook relies on web-browsing because before facebook the frewall recognize in fact web-browsing app. So the programmer ask themself why not having an implicit application allowing? Please do not mix together app and service (ports) these are different variables in security rules, as an advice try to use always application defaults as policy enforcement. If you keep log option for security rule you are always able what traversed the firewall. Also always in session browser (cli/gui) you can see which kind of app traffic is flowing even with a permit all policy, this is the strength of these devices.

NGS_SOC · ‎05-18-2013

In PANOS 4.x all application dependencies have to be explicit allowed in security rules, otherwise warning during may appear and related application could not work properly. Sometimes in large scale this requirement could be annoying or worse. Version 5.0.x changes this behavior allowing application dependencies if they are granular web-browsing, ssl, ftp and few more. Never unknown traffic, if needed, this have to be allowed with an explicit rule.

NGS_SOC · ‎05-18-2013

I agree, could be interesting if the aspx page could accept variables like http://urlfiltering.paloaltonetworks.com/TestASite.aspx?url=www.google.com I suggest the feature!

NGS_SOC · ‎05-18-2013

Bittorent doesn't depend on unknown tcp/udp, only web-browsing on tcp/udp dynamic ports. If you have 5.0.x this dependence is already done, otherwise a rule has to be inserted for allowing web-browsing before bittorent. Verify the app dynamic update (latest 373-1793) and in case of other error/warning during commit also I suggest opening a support case.

NGS_SOC · ‎05-17-2013

I'm not sure having fully understood your goal, if I were you I'll remove the SSG and put PA-200 in its place. The little PA device is able to handle layer3 topology with multiple WAN connections using vrouters (2 available) and PBR. The simplest topology that can be suited you is WAN (untrusted) DMZ (servers) and LAN (trusted). In this choice traffic shaping & qos for servers/client are directly managed by PA-200 either with diffserv of qos polycy.

NGS_SOC · ‎05-17-2013

The diffserv Qos mark is done in Security Policy not in NAT rules. In the option field you case choose IP dscp or IP Precedence according to your Juniper configuration and all the traffic voice, ie sip application, can be marked to higher priority. Traffic shaping Qos is the second technology, useful to limit/guarantee certain amount of traffic, but in your topology maybe is better to handle this with Juniper. On the contrary, if your juniper can be moved to outside to inside, for example as vpn concentrator, you can use directly traffic shaping.

NGS_SOC · ‎05-17-2013

Documentation > Enterprise SNMP MIBs https://live.paloaltonetworks.com/docs/DOC-4120

NGS_SOC · ‎05-17-2013

HI, below I attached an example of vbs script I used in order to obtain explicit login/logout from the network client, try to see if they work for you. Simply modify USER-ID agent address+ port. Once launched the script is able to grab domain\user from the local machine ad set the PA login, or the logout. Dropbox - Login-Logout-API.zip I also use similar login\logout script integrated with 802.1X wifi enterpirse (Aerohive vendor), if the user is still preset there is surely something tha keeps alive the use connection. Also with an 5.0.x infrastrucutre you can talk to the PANOS directy using URL like this, without the USER-ID agent broker. https:// <Firewall-IPaddress>/api/?type=user-id&key=<Key Value>&action=set&vsys=vsys1&cmd=<uid-message><version>1.0</version><type>update</type><payload><login><entry name="pan\sam1" ip="<Client-IPaddress>"/></login></payload></uid-message>

NGS_SOC · ‎05-17-2013

Script looks fine, I have an explicit logoff like this in place with 4.1.x and 5.0.x. The only difference I have is in ip & name order, in mine script is exchanged, <logout><entry name="domainY\user" ip="x.x.x.x" ></entry></logout> If you still have user in "show user ip-user-mapping all" list this means that the user still present somewhere and the userid, please verify the user-id logs when loggin off you should have logs like these, where X.X.X. are private ips, New xml api connection X.X.X.X : 56522:2010737129. XML api thread 0 from X.X.X.X : 56522 is started. Event: type="XML API connection" name="X.X.X.X" status="Connected" Device thread 0 send server status X.X.X.X : 56522 Connected (XML API) XML api thread 0 accept finished XML api thread 0 SSL no certificate Reading 2 security logs takes 0 ms for DC domain.local. XML API IP 192.168.1.11(name DOMAIN\user) logoff. Event: type="XML API connection" name="X.X.X.X" status="Disconnected" XML api thread 0 exits. XML api connection X.X.X.X : 56522 closed. All XML api connection stopped!

NGS_SOC · ‎05-14-2013

Dynamic Block List is probably the solution you are looking for. Using an internal web server where your txt list can reside allow you to use the unwanted ip address as variable in Security Policy.

NGS_SOC · ‎05-13-2013

Apart from PA-500 specific problem, another operation could be tried in order to quickly obtain reports. Exporting the postgress logdb from PA-500 and importing it to a VM-100 (even not licensed) should provide the results your are looking for. scp export logdb to userabc@1.2.4.3:c/a/b/c scp import logdb from userabc@1.2.4.3:c/a/b/c I wanted to try these operations some weeks ago in may labs and now I schedule for the next week.

NGS_SOC · ‎05-12-2013

You can start with two docs https://live.paloaltonetworks.com/docs/DOC-1098 https://live.paloaltonetworks.com/docs/DOC-2561 PA does only static eherchannel L2 (no LACP/PAgP support) and only for 4000 & 5000 series with PANOS 4.1.X. With PANOS 5 series 500, 2000 and 3000 do aggragate.

Date Registered	‎07-19-2011 08:06 AM
Date Last Visited	2 weeks ago
Total Messages Posted	68
Total Likes Received	20

Online Status	Offline
Date Last Visited	2 weeks ago

Strata

Prisma

Cortex

About NGS_SOC