About hvcomputech

hvcomputech · ‎10-11-2017

We block most http-audio/video in our enterprise but we allow access to webcasts/webinars. We have had to resort to create a "webinar" rule allowing http-audio and video, rtmp, rtmpe, gotowebinar, and more... with specific IP ranges. Because these change often we have to keep adding CDN IPs to this rule for people to see/hear the webinars. This includes adding a flavor of default URL categories to match the rule. Apart from playing whack-a-mole, the concern is that allowing those ranges with, say, the business-and-economy, content-delivery-networks or streaming-media rule will allow traffic matching that security policy rule for sites unrelated to online webinars or courses. Is there a different/easier way to do this while still blocking http-video and audio for anything not related to webinars? Can someone share rules or ideas accomplishing this? Thanks, Larry

hvcomputech · ‎09-07-2017

Yes, *.sling.com also. That allows connections to internet-connected DVRs.

hvcomputech · ‎09-07-2017

Or look at the user's url log and find and block the ability to log in to Dish. If logging in on the site, block: https://my.dish.com/customercare/usermanagement/prepLogon.do https://www.mydish.com/welcome or for dishanywhere: http://www.dishanywhere.com/ https://identity1.dishnetwork.com/saml/module.php/sociallogin/login.php

hvcomputech · ‎02-01-2017

IF you are using Brightcloud try this via cli: debug dataplane test url-resolve-path la-xxx.com It will query locally first and, if unknown (not-resolved) it won't block it. The request will go out to the cloud for an update URL la-xxx.com/, category is not-resolved, a request was sent successfully to the host run it again: debug dataplane test url-resolve-path la-xxx.com it will come back classified correctly URL la-xxx.com/, category adult-and-pornography Larry

hvcomputech · ‎04-18-2016

6.1.10

hvcomputech · ‎01-29-2016

Has this been verified?

hvcomputech · ‎09-22-2015

Why would you want to block firefox and google chrome updates? I understand wanting to block the google chrome apps, which afaik can't be done, but the browsers? Isn't that exposing yourself to additional vulnerabilities?

hvcomputech · ‎08-19-2015

I am trying to understand the meaning of the default critical vulnerability action "Alert". This question was brought up by management who gets the PAN Content Update email and I want to give them an accurate answer. For example, Adobe Flash Player Memory Corruption ID 38112 is rated as critical and, as most critical vulnerabilities, the default action is "Alert". If I look up ID 38112 in the Vulnerability Protection Default profile the rule associated with it is "simple-client-critical" with default action Alert. The "simple-client-critical" rule itself has an action of Default. Does this mean that for anyone using the Default profile no action other than alerting would take place? In other words, they might think the PA is protecting when it's only alerting on the vulnerability? I use my own Vulnerability Profile Rule where "simple-client-critical" has an action of "Block". This means that ID 38112 is blocked even though the email says the default action is "Alert", correct? Thanks.

hvcomputech · ‎06-12-2015

In the cli don't forget to run: clear url-cache all then you might see sites classified correctly. I'm not too happy with brightcloud myself. I have submitted changes and sometimes it takes forever for them to assign them the correct categorization and they miss some obvious sites. However, tech support suggested we stick to brightcloud instead of the PAN-DB because it is much better, but as of 6.1 there are features that use PAN-DB like: "PAN-DB can now categorize content down to the page level instead of just at the directory level. Because the pages within a domain can be long to multiple categories, this capability provides increased accuracy in filtering content and prevents potential over-blocking of web content." I read somewhere that DNS sinkholing requres PAN-DB. Larry

hvcomputech · ‎06-12-2015

We had a similar issue with a secure site and Firefox wouldn't offer the option to bypass on a PC while it did work on mine. We use the same version, and we're on the same subnet. Clearing the cache in Firefox on his PC is all it took for it offer the option to continue. "for some users with no certificate applied, we have that common certificate error page..." BTW, if you're decrypting traffic and don't have the certificate applied for some people and they get the alert, be aware that you're conditioning these users to blindly accept any untrusted connection in the future. Also, some sites won't allow to continue if the MIM certificate is not installed, no matter what. Those sites will have to be added to an ssl bypass list. Larry.

hvcomputech · ‎04-27-2015

Without ssl decryption the PaloAlto won't be able to see what is traversing in https.

hvcomputech · ‎12-10-2014

Y si quieres, algunos podemos traducir aqui al ingles, a veces. Translation: "Problem with PAN-500 in Active-Passive mode. We have the following problem, we did a migration to version 5.0.8 on both appliances without a problem. The problem we have today is when we try to make a modification on one appliance and it gives us an error on interface 1/6, which was configured in HA. I don't know why but there aren't any cables connected nor is it operational. The problem is that if we want to make any changes, we get an error via the web interface. We want to know what the problem could be. Hope you can help us. Thanks. One more thing, is there a tech support number for Spanish in Mexico?"

hvcomputech · ‎12-10-2014

Are you using a spam filter? May be blocking the incoming emails filtering by attachment or content may be a quicker solution. Or create a data filtering profile for file type .zip, direction = download, with regex to match invoice.zip, and then apply it to your security policies. Note: I haven't tested this. Larry

hvcomputech · ‎09-16-2014

Translation: "Do you recommend substituting a Microsoft Threat Management Gateway firewall with a Palo Alto appliance? I'm thinking about substituting one of my firewalls, a Microsoft TMG with a new Palo Alto appliance. In general terms, functionality-wise I'm sure that Palo Alto would be better and would give me a better performance, but I'm weary on how to migrate the configurations such as Exchange (OWA and Active-Sync) and Lync (web services exclusively). This is a cornerstone in my migration, because all users use Lync for voice and IM, both on computers and mobile devices, in addition to Exchange with Outlook Anywhere, OWA and Active-Sync. I understand that TMG reverse proxy can't be duplicated in Palo Alto, but I'd like to find a solution without adding another appliance which would increase migration costs and administration headaches. Thanks"

hvcomputech · ‎09-04-2014

Thanks!

hvcomputech · ‎09-03-2014

what known bug is this?

hvcomputech · ‎09-02-2014

Hi, we're planning on upgrading from version 5.0.8 to version 6.x.x. Which version of panos 6 is the most stable? Thanks.

hvcomputech · ‎09-02-2014

All I know is that the way PaloAlto queries scheduled reports and real time reports is different. It has been like this since at least version 3.

hvcomputech · ‎08-19-2014

and the answer was...?

hvcomputech · ‎08-19-2014

Remember that if you put it on the allow list, it will be allowed but it won't be logged.

hvcomputech · ‎08-18-2014

I am exhibiting the same situation where specific users who are allowed access to youtube are getting blocked (whereas the rest are denied access). Logs show Youtube on port 80 allowed through the correct policy, but as soon as it hits port 443, it gets blocked by the lower deny rule assigned to the rest. One change that seemed to work was switching from service 'application-default', to service 'any', which is not ideal.

hvcomputech · ‎06-12-2014

It looks like the web interface stopped responding and crashed. You should open a ticket with tech support. They may be able to restart it via the CLI without rebooting the appliance.

hvcomputech · ‎01-13-2014

I'll try that, thanks!

hvcomputech · ‎01-10-2014

Reviving very old post but nowhere else can I find anything similar. So how does this work? The rule is that "When a user attempts to access a URL and the URL category needs to be determined, the firewall will compare the URL with the following components until a match has been found: 1. Block list of the matching URL profile 2. Allow list of the matching URL profile 3. Custom categories that have been defined 4. DP URL cache 5. MP URL cache 6. Cloud systems" If Allow takes precedence over Custom categories, how can you see the allowed sites? i.e. if I put *.facebook.com and facebook.com in the URL Filtering Allow list, and also add them to a custom URL category called "show_me_allowed", and set the custom Alert Category list to be "Alert", when i browse to Facebook and look at the URL log, I still cannot see it because Allow supersedes Custom. Theoretically: How do we prove that a user who is allowed to access a site during work hours also accessed (or didn't) the site at other times if we can't see it? We do not use the PaloAlto schedules feature. Thanks.

hvcomputech · ‎01-02-2014

Isn't this missing a step? Where is the "cmd eq edit" or the "cmd eq commit" (for submissions) defined in this configuration?

hvcomputech · ‎12-12-2013

Same here. Our solution was to disable "logging" in the Palo Alto User Agent on our DC and then restart the service (no restart, no change) . That made it stop doing DNS lookups worldwide. We noticed the activity when it started hitting countries we have blocked after we think tech support maybe changed it to debug mode.

hvcomputech · ‎07-11-2013

I too would like that. I'd go even further, like the ability to block or restrict any toolbar from installation (yahoo, google, weather-related, coupon printer,...)

hvcomputech · ‎05-13-2013

What version of PaloAlto are you on? Older versions use esp, newer ones use api, so try this: https:// hostname /api?type=config&key= keyvalue &action=show&xpath=devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules

hvcomputech · ‎11-14-2012

Did you convert the certificate file from .pfx to .pem? The key and certificate can be imported separately.

hvcomputech · ‎11-14-2012

In my case I didn't change anything and it works again: "description contains 'URL filtering database was upgraded from version 3980 to version 3981 by the auto-update agent'"

Date Registered	‎07-19-2011 11:25 AM
Date Last Visited	‎02-12-2020 08:49 AM
Total Messages Posted	40
Total Likes Received	8

Online Status	Offline
Date Last Visited	‎02-12-2020 08:49 AM

Enterprise

Prisma

Cortex

About hvcomputech