cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About merrydc

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Re: we are not getting URL in syslogs, is there any way to URL in syslogs?

by in General Topics
‎03-31-2015 09:27 AM
‎03-31-2015 09:27 AM
The log you show is a traffic log.  The URL is logged in the Threat log I believe.  Below is an excerpt from another discussion on this URL logging subject. In order to forward URL logs, it is necessary to forward Threat logs of Severity "informational" to the Syslog server. Doing so will forward other informational threat logs (Data Filtering) in addition to URL logs. Please refer to the following document for more information on how to configure URL log forwarding to Syslog: How to Forward Threat Logs to Syslog Server ... View more

User agent recommended placement

by in General Topics
‎03-31-2015 09:01 AM
‎03-31-2015 09:01 AM
What is the recommended Windows machine to run the user agent for version 6. Our AD servers are at an offsite data center (5 miles away) and we have limited physical access to systems installed at datacenter.  If agents are installed at data center they will be virtual machines.  We can install on desktop machines at our local building and have better access to machines.  How close to AD servers should user agent machines be? ... View more
Labels:

Skype-probe rule catching other traffic

by in General Topics
‎08-09-2013 01:39 PM
‎08-09-2013 01:39 PM
I have implemented the suggested Skype-Probe allow rule in order to block Skype.  I have noticed that this rule will also catch traffic that is of the Application type Incomple and Insufficient-data.  Just currious as to why it is ending up in this rule when the only application for the rule is skype-probe.  A lot of times these non-skype-probe log entries that are caught by the skype-probe rule are associated with traffic that is blocked either by Palo Alto threat or by the endpoint protection at the workstation. I can also see the some incomplete and insufficient-data in our main user rule as well but the majority of these seem to end up in the skype probe rule for some reason (The skype-probe rule is higher than the main user rule but it doesn't catch all of the incomplete/insufficient-data traffic).. Should i set up a special rule for the application type incomplete and insufficient-data in order to keep them together or just let them fall where they may?  (I still wonder how they end up in skype-probe though as they don't appear related to skype based on ports used). Thanks. ... View more

Data filter - Blocking suspicious downloads

by in General Topics
‎11-02-2010 05:43 AM
‎11-02-2010 05:43 AM
For data filtering we set a rule to alert for certain downloads (such as .bat, .exe, etc).  In the monitor log, all alerts are listed as LOW severity.  I have noticed a pattern where a workstation shows a suspicious download such as game.exe or abyzdew.exe (random letters in name) and then starts showing outbound spyware or virus messages.  My deduction is the download was some type of malware. Is there a way to have the files being downloaded scanned for malware and alerted in the data filter tab?  What is the purpose of the severity column in the data filtering tab as it relates to the "FILE" type of data filter and why does it always show as low. Thanks. Crill ... View more

Re: Acting on Vulnerability threats

by in General Topics
‎08-30-2010 10:44 AM
‎08-30-2010 10:44 AM
Ok, now for an actual example that I am looking at. In our threat log there are numerous entries for virus type event with id 648197 and a description of "worm/win32.mabezat.0806".  This threat is listed as Medium and also using ms-update application.  All of the source addresses appear in the msecn.net domain. This looks like a false positive.  What does this threat log entry mean? Back to one of my original questions: At what point do we use the capabilities of Palo Alto to block (i.e. prevent) an attack? Do we set a threshold of High and Critcal or do Medium threats need to be blocked as well.  I would like to set to block for all threats that are known if that is a possible use of the Palo Alto capabilities.  Of course if I am going to potentially also block legitimate traffic that matches the threat then I would have to weigh that in the decision. Thanks, Crill ... View more

Re: Acting on Vulnerability threats

by in General Topics
‎08-26-2010 05:37 AM
‎08-26-2010 05:37 AM
Thanks Sandeep for your reply, I am still not sure how I can best use the threat feature to prevent an attack.  At what point is it safe to make an action BLOCK instead of just ALERT as I have now. In other words I don't want to set an action as BLOCK if there is just a potential for attack.  With other tools, I have seen vulnerabilities detected which are mitigated by patches or other measures so the "vulnerabilty" is really a false positive. If on the other hand, the threat listed in the threat log is an absolute attack of a particular vulnerability, then I of course would want to block this. As an example of how to use, lets try this scenario: Suppose there is a vulnerability where a specially crafted GIF file could be used to attack a system.  Does the Threat log show this vulnerability every time a GIF file is downloaded OR just when a GIF file has the specific code to attack? If it logs for every GIF then this would be a potential threat we would have to decide when to block.  If it logs for only those GIF files that have the attack code then we could set those to block to prevent an attack. If it logs for every GIF just because the potential is there, I don't see how I can use this to prevent an attack.  This is my area of confusion.  Is there a Best Practice document on how to use the features of the PA to maximize the threat prevention capabilities? Thanks, Crill ... View more

Acting on Vulnerability threats

by in General Topics
‎08-25-2010 11:57 AM
‎08-25-2010 11:57 AM
When the Threat log shows a vulnerability, is this an actual attack of this vulnerability or is this something that is using software that has this vulnerability? Trying to determine when to act on the vulnerability (i.e. block). If a critical level vunerability is an actual attack then it would be no brainer to just block it but if the vulnerability is just potential to be an attack then blocking could be a problem for legitimate traffic.  I need help in understanding what the vulnerability log is telling me. Thanks. Crill ... View more

Best method to block Instant Messaging

by in General Topics
‎06-08-2010 09:20 AM
‎06-08-2010 09:20 AM
Working for a State Government agency, we are required to keep a record of any official electronic communication.  Using public Instant Messaging services creates a problem for us in that we don't have a mechanism for keeping copies of any transactions which are part of a Public Record conversation. In light of this issue we would like to block Instant Messaging.  Is there a best practice or method to do this with the Palo Alto?  Is the solution just to block the Applications in the instant-messaging sub category?  Is there a better way or more efficient way that will catch all IM traffic? Thanks for your help. ... View more
merrydc
‎07-09-2019
since ‎01-07-2010
L1 Bithead
User Activity
User Profile
User Badges
Public Statistics
Date Registered ‎01-07-2010 11:53 AM
Date Last Visited ‎07-09-2019 12:22 PM
Total Messages Posted 9
Ask Questions Get Answers Join the Live Community
Contact Me
Online Status
Offline
Date Last Visited
‎07-09-2019 12:22 PM
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks