About jvalentine

Hi, I know this is an old thread but I would like to add a bit more as this is still a current feature of Cortex XDR (formerly known as Traps. Although the installation directory is still called "Traps").   These files are typically not visible even when you are showing hidden files (Windows). They are called "decoy" files (as someone already mentioned). This module is part of the "Malware Profile". They are completely normal and necessary to protect endpoints from ransomware attacks.   When ransomware is doing its thing in your OS, it will try to encrypt the decoy files and Cortex XDR agent will stop the attack.   If the existence of these is not desired, you can check if the current setting is "Aggressive" for Ransomware protection affecting the endpoint in question and switch it to "Normal" which is the default value. However, if your security posture is "zero trust" I would not suggest using the default value which is less strict.     If you ever end up uninstalling the agent, these files will go away. In fact, they go away if you disable the agent for an endpoint. You can confirm this by running the command "attrib" for any directory while the agent is enabled. Then disable the agent and run the same command, you will notice the decoy files are gone (I obviously would not recommend disabling the agent).   ... View more

I know this is an old post, but I just ran into this problem as well. I have two Ring Cameras, one door bell cam and one stick-up cam in my backyard.   All of sudden, both cams stopped showing recorded images and the live feed didn't work. I did get motion alerts, but when I tried to click on live view the image just never showed up.   After some investigation, I found that RING was being stopped by threat prevention in the Palo. In the logs it appeared that there were to instances of calls being made from the inside that hit the Threat policy.   Suspicious TLS Evasion Found on port 443 and Microsoft Communicator INVITE Flood Denial of Service Vulnerability on port 15063   Both of which where informational. To mitigate this I created a new Security Profile where I removed dropping packet that where on informational nature and added that to a policy that matched the predefined RING application.   Once that was done, all feeds and events came right back up. ... View more

Were you able to make the firewall trigger the 33020 signature and therefore trigger the 40021 to block the MS-RDP brute-force?   I have a similar setup at one of my customers site - configured a top-level rule to allow RDP to a specific terminal server, assigned vulnerability profile to block-IP anything in category brute-force, created exceptions for 33020 (changed action to alert) and 40021 (lowered the default value of 40021 from 8 req per 100 sec to 5 req per 100 sec).   I am seeing the ms-rdp requests in Traffic log with action allowed but there is nothing in the Threat log. This is overloading the terminal server making the valid users unable to connect.   Thanks. ... View more

Hi @MP18, I'm trying to understand the best option when putting 2 x PA NGFW's in Active/Passive, each with Vwire's between a Check Point 2-Node Active/Passive Cluster and 2 x L3 Switches.  My specific concern was how the Active PA NGFW would follow the Active Check Point Cluster Node in a fail-over event.  My concern quickly switched however when VSLS was enabled to make the Check Point Cluster Active/Active.  Now I am trying to understand the implications of PA Active/Active Vwire's in a failure scenario. My backup plan is no HA with TCP syn check disabled and to be honest will most likely be the chosen option as we're in emergency response mode for this work. Thanks Ben ... View more

@Todd_Benshoof  this sounds pretty straight forward, do you have a network design?   if you have all L3 (sub)interfaces, and they're all in the same VR, routing will happen automagically (the routing table will be populated with 'connected' networks and route from the get-go)     ... View more

its solved, introducing contrl+v and then ? , its working fine ... View more

@jvalentine   Thanks for your response !!   I have checked the same prior but will recheck it again and let you know the status.    Best Regards, Sahul Hameed  ... View more

Depends on your definition of "support".    My understanding is that today, if you use 0x88A8 ethertype, PAN-OS will treat that as an unknown ethertype and the traffic will receive the same action as any other non-IP protocol (ie: v-wire/L2 will flood w/o setting up flows).  In 8.0, PAN-OS gained the ability to block this using Zone Protection.  There is some limited support when using nested 0x8100 tags, but only for using the outer VLAN.     If you're looking for more functionality than this, please contact your Palo Alto Networks SE and request to be added to the QinQ feature request, along with the specific functionality required.   ... View more