This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies. For details on cookie usage on our site, read our Privacy Policy
The log you show is a traffic log. The URL is logged in the Threat log I believe. Below is an excerpt from another discussion on this URL logging subject. In order to forward URL logs, it is necessary to forward Threat logs of Severity "informational" to the Syslog server. Doing so will forward other informational threat logs (Data Filtering) in addition to URL logs. Please refer to the following document for more information on how to configure URL log forwarding to Syslog: How to Forward Threat Logs to Syslog Server
... View more
What is the recommended Windows machine to run the user agent for version 6. Our AD servers are at an offsite data center (5 miles away) and we have limited physical access to systems installed at datacenter. If agents are installed at data center they will be virtual machines. We can install on desktop machines at our local building and have better access to machines. How close to AD servers should user agent machines be?
... View more
I have implemented the suggested Skype-Probe allow rule in order to block Skype. I have noticed that this rule will also catch traffic that is of the Application type Incomple and Insufficient-data. Just currious as to why it is ending up in this rule when the only application for the rule is skype-probe. A lot of times these non-skype-probe log entries that are caught by the skype-probe rule are associated with traffic that is blocked either by Palo Alto threat or by the endpoint protection at the workstation. I can also see the some incomplete and insufficient-data in our main user rule as well but the majority of these seem to end up in the skype probe rule for some reason (The skype-probe rule is higher than the main user rule but it doesn't catch all of the incomplete/insufficient-data traffic).. Should i set up a special rule for the application type incomplete and insufficient-data in order to keep them together or just let them fall where they may? (I still wonder how they end up in skype-probe though as they don't appear related to skype based on ports used). Thanks.
... View more
For data filtering we set a rule to alert for certain downloads (such as .bat, .exe, etc). In the monitor log, all alerts are listed as LOW severity. I have noticed a pattern where a workstation shows a suspicious download such as game.exe or abyzdew.exe (random letters in name) and then starts showing outbound spyware or virus messages. My deduction is the download was some type of malware. Is there a way to have the files being downloaded scanned for malware and alerted in the data filter tab? What is the purpose of the severity column in the data filtering tab as it relates to the "FILE" type of data filter and why does it always show as low. Thanks. Crill
... View more
Ok, now for an actual example that I am looking at. In our threat log there are numerous entries for virus type event with id 648197 and a description of "worm/win32.mabezat.0806". This threat is listed as Medium and also using ms-update application. All of the source addresses appear in the msecn.net domain. This looks like a false positive. What does this threat log entry mean? Back to one of my original questions: At what point do we use the capabilities of Palo Alto to block (i.e. prevent) an attack? Do we set a threshold of High and Critcal or do Medium threats need to be blocked as well. I would like to set to block for all threats that are known if that is a possible use of the Palo Alto capabilities. Of course if I am going to potentially also block legitimate traffic that matches the threat then I would have to weigh that in the decision. Thanks, Crill
... View more