Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
About merrydc
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About merrydc
07-09-2019
9Posts
0Likes
0Solutions
Jul 09, 2019Last Visited
User
Activity
User
Profile
Latest posts by merrydc
| Subject | Views | Posted |
|---|---|---|
| 675 | 03-31-2015 09:27 AM | |
| 480 | 03-31-2015 09:01 AM | |
| 1150 | 08-09-2013 01:39 PM | |
| 962 | 11-02-2010 05:43 AM | |
| 1547 | 08-30-2010 10:44 AM |
User Badges
Community Statistics
| Member Since | 01-07-2010 11:53 AM |
| Date Last Visited | 07-09-2019 12:22 PM |
| Posts | 9 |
03-31-2015
09:27 AM
The log you show is a traffic log. The URL is logged in the Threat log I believe. Below is an excerpt from another discussion on this URL logging subject. In order to forward URL logs, it is necessary to forward Threat logs of Severity "informational" to the Syslog server. Doing so will forward other informational threat logs (Data Filtering) in addition to URL logs. Please refer to the following document for more information on how to configure URL log forwarding to Syslog: How to Forward Threat Logs to Syslog Server
... View more
03-31-2015
09:01 AM
What is the recommended Windows machine to run the user agent for version 6. Our AD servers are at an offsite data center (5 miles away) and we have limited physical access to systems installed at datacenter. If agents are installed at data center they will be virtual machines. We can install on desktop machines at our local building and have better access to machines. How close to AD servers should user agent machines be?
... View more
Labels:
- Labels:
-
User-ID
08-09-2013
01:39 PM
I have implemented the suggested Skype-Probe allow rule in order to block Skype. I have noticed that this rule will also catch traffic that is of the Application type Incomple and Insufficient-data. Just currious as to why it is ending up in this rule when the only application for the rule is skype-probe. A lot of times these non-skype-probe log entries that are caught by the skype-probe rule are associated with traffic that is blocked either by Palo Alto threat or by the endpoint protection at the workstation. I can also see the some incomplete and insufficient-data in our main user rule as well but the majority of these seem to end up in the skype probe rule for some reason (The skype-probe rule is higher than the main user rule but it doesn't catch all of the incomplete/insufficient-data traffic).. Should i set up a special rule for the application type incomplete and insufficient-data in order to keep them together or just let them fall where they may? (I still wonder how they end up in skype-probe though as they don't appear related to skype based on ports used). Thanks.
... View more
11-02-2010
05:43 AM
For data filtering we set a rule to alert for certain downloads (such as .bat, .exe, etc). In the monitor log, all alerts are listed as LOW severity. I have noticed a pattern where a workstation shows a suspicious download such as game.exe or abyzdew.exe (random letters in name) and then starts showing outbound spyware or virus messages. My deduction is the download was some type of malware. Is there a way to have the files being downloaded scanned for malware and alerted in the data filter tab? What is the purpose of the severity column in the data filtering tab as it relates to the "FILE" type of data filter and why does it always show as low. Thanks. Crill
... View more
08-30-2010
10:44 AM
Ok, now for an actual example that I am looking at. In our threat log there are numerous entries for virus type event with id 648197 and a description of "worm/win32.mabezat.0806". This threat is listed as Medium and also using ms-update application. All of the source addresses appear in the msecn.net domain. This looks like a false positive. What does this threat log entry mean? Back to one of my original questions: At what point do we use the capabilities of Palo Alto to block (i.e. prevent) an attack? Do we set a threshold of High and Critcal or do Medium threats need to be blocked as well. I would like to set to block for all threats that are known if that is a possible use of the Palo Alto capabilities. Of course if I am going to potentially also block legitimate traffic that matches the threat then I would have to weigh that in the decision. Thanks, Crill
... View more
08-26-2010
05:37 AM
Thanks Sandeep for your reply, I am still not sure how I can best use the threat feature to prevent an attack. At what point is it safe to make an action BLOCK instead of just ALERT as I have now. In other words I don't want to set an action as BLOCK if there is just a potential for attack. With other tools, I have seen vulnerabilities detected which are mitigated by patches or other measures so the "vulnerabilty" is really a false positive. If on the other hand, the threat listed in the threat log is an absolute attack of a particular vulnerability, then I of course would want to block this. As an example of how to use, lets try this scenario: Suppose there is a vulnerability where a specially crafted GIF file could be used to attack a system. Does the Threat log show this vulnerability every time a GIF file is downloaded OR just when a GIF file has the specific code to attack? If it logs for every GIF then this would be a potential threat we would have to decide when to block. If it logs for only those GIF files that have the attack code then we could set those to block to prevent an attack. If it logs for every GIF just because the potential is there, I don't see how I can use this to prevent an attack. This is my area of confusion. Is there a Best Practice document on how to use the features of the PA to maximize the threat prevention capabilities? Thanks, Crill
... View more
08-25-2010
11:57 AM
When the Threat log shows a vulnerability, is this an actual attack of this vulnerability or is this something that is using software that has this vulnerability? Trying to determine when to act on the vulnerability (i.e. block). If a critical level vunerability is an actual attack then it would be no brainer to just block it but if the vulnerability is just potential to be an attack then blocking could be a problem for legitimate traffic. I need help in understanding what the vulnerability log is telling me. Thanks. Crill
... View more
06-08-2010
09:20 AM
Working for a State Government agency, we are required to keep a record of any official electronic communication. Using public Instant Messaging services creates a problem for us in that we don't have a mechanism for keeping copies of any transactions which are part of a Public Record conversation. In light of this issue we would like to block Instant Messaging. Is there a best practice or method to do this with the Palo Alto? Is the solution just to block the Applications in the instant-messaging sub category? Is there a better way or more efficient way that will catch all IM traffic? Thanks for your help.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-09-2019
12:22 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
