About nsendelbac

nsendelbac · ‎07-18-2019

I set up a test and found out a custom App-ID containing tcp/udp dynamic, and a signature looking for user-agents, will match on traffic on destination ports below 1024, 80 and 443 in this case. So it seems that dynamic refers to all ports. The question now is why the apps I mentioned specify specific ports AND a tcp/dynamic port reference at the same time, if dynamic means all ports? Doesn't make sense.

nsendelbac · ‎07-15-2019

Thanks for the reply. If dynamic refered to all ports, that would not explain why many apps have specific ports listed, as well as tcp/udp dynamic. If dynamic covered all ports, it would be redundant to include others in the same app. e.g. Access-grid tcp/80,8000,20000,20200,dynamic, udp/dynamic apple-appstore tcp/80,443,dynamic baidu-hi-base tcp/443,80,6453,dynamic, udp/2400,2500,dynamic avaya-webalive-base tcp/dynamic, udp/7878,2379 condor tcp/dynamic, udp/9600-9700 Since for each app some ports are explicitly listed and others are dynamic it makes me think that the dynamic range is a common range that an app could select a port from, such as 49152-65535. I believe that the app was observed using the specified ports each session, but different random port(s) established per session as well, from an upper-range that could be 49152-65535 or even 32768-61000. I wonder why there's nothing in the documentation that covers this topic.

nsendelbac · ‎07-10-2019

I'm looking for a definitive answer on what port range "tcp/dynamic" and "udp/dynamic" uses. I would figure that it is 49152-65535, but I have not been able to locate anything in documentation or the community to confirm this.

nsendelbac · ‎06-21-2019

The following KB article states that the File Blocking rulebase is not top-down but based on action precedence. The article fails to mention anything on the function of the application column with regard to processing logic: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGeCAK If for instance, I have a security rule that allows any application, and in the attached File Blocking profile I have a "Block Webmail EXE" rule that blocks on .exe file types, and has Gmail configured in the application column. Next I have a "EXE Alert" file blocking rule that alerts on .exe file types and has "Any" application specified. According to the above article, if a file type matches multiple File Blocking rules, the rule with the highest precedence action will win (block in this case). But what about the application column? If the application being used is web browsing and the "Block Webmail EXE" rule is only configured for Gmail, would it still block the file? Or would it recognize that this session is Web-Browsing, not Gmail, and match instead on the other "EXE Alert" rule?

nsendelbac · ‎03-07-2019

Sure, you could add web-browsing, but then the file blocking profile would apply to much more traffic than the webmail apps I'm trying to alert/block on. I suppose a workaround would be creating a seperate security policy with only the webmail apps specalong with a seperate file blocking profile for it and select 'any' apps in the file blocking profile. Still wondering why there is a limited subset of apps within file blocking profiles though.

nsendelbac · ‎03-04-2019

What is the reason that the Applications field within File Blocking Profiles only allow a subset of all applications? For instance, I have a file blocking profile that alerts on several file extensions for webmail applications I've specified, and I'm trying to add meetup-email, startmail, and zimbra, but these are not available. I thought perhaps the file block profiles only allow applications that have the "Capable of file transfer" characteristic, but all the apps I've mentioned have it.

nsendelbac · ‎02-27-2019

ShiemB, If you're trying to get into Palo Alto I'd focus on networking and cyber security courses, and less so on Microsoft. A good start would be the PCCSA, as its at the Security+ level, but with PAN-specific information, followed by the PCNSA. I would certainly recommend CCNA and CCNA Security for the foundational networking knowledge. CEH would be useful to get a solid understanding of the attacker POV and the type of things we are trying to prevent with the PAN platform. AWS has a well-developed certification program, and since PAN products are deployable into clouds like AWS/Azure/Google Cloud, having an understanding of the cloud would set you ahead. Nick

Member Since	‎04-30-2015 02:06 PM
Date Last Visited	‎06-03-2022 03:12 PM
Posts	15

Online Status	Offline
Date Last Visited	‎06-03-2022 03:12 PM

About nsendelbac

Re: tcp/dynamic port range

Re: tcp/dynamic port range

tcp/dynamic port range

File Blocking rule logic

Re: File Blocking applications

Re: tcp/dynamic port range

Re: tcp/dynamic port range

Re: File Blocking rule logic

Re: File Blocking process

Re: Application dependency behavior

Re: tcp/dynamic port range

Re: tcp/dynamic port range

tcp/dynamic port range

File Blocking rule logic

Re: File Blocking applications

File Blocking applications

Re: Security +

Network Security

Cloud Security

Security Operations

About nsendelbac