Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About drogers
About drogers
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
09-02-2020
21Posts
13Likes
10Solutions
Sep 02, 2020Last Visited
User
Activity
User
Profile
Latest posts by drogers
| Subject | Views | Posted |
|---|---|---|
| 2957 | 07-30-2019 02:32 PM | |
| 930 | 06-01-2017 12:14 PM | |
| 2636 | 04-19-2017 08:55 AM | |
| 2679 | 04-17-2017 09:32 AM | |
| 2281 | 04-21-2015 09:52 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 2 | 07-30-2019 02:32 PM | |
| 1 | 04-19-2017 08:55 AM | |
| 3 | 04-17-2017 09:32 AM | |
| 1 | 06-28-2012 09:24 AM | |
| 1 | 06-28-2012 09:37 AM |
User Badges
Public Statistics
| Date Registered | 02-16-2010 11:44 AM |
| Date Last Visited | 09-02-2020 07:54 PM |
| Total Messages Posted | 86 |
| Total Likes Received | 13 |
07-30-2019
02:32 PM
2 Kudos
One of the workflows I've seen allows users to select AppIDs on the FW CR form. Depending on your user base you could limit the AppID list to a curated selection, or do something fancy like filter based on which port the user selects. You can pull the AppID DB from the firewalls/Panorama using the API, and the Application Default ports are listed for each AppID, so the data could come from there.
... View more
06-01-2017
12:14 PM
TACACS+ is not a Cisco proprietary protocol. It was developed by Cisco as an extension to TACACS, but they did so openly, submitting a draft RFC and releasing a development kit to allow others to adopt the protocol. There is a more current IETF draft under way as well - https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/ TACACS+ can be used for Authentication, Authorization, and Accounting - a common use case is for command-level authorization on Cisco devices, but that's due more to how long Cisco has been implementing and pushing the standard rather than because that's all it's good for. In many customer environments, it is replacing or has replaced RADIUS as the AAA standard. In the case of a Palo Alto Networks firewall or Panorama, we can leverage TACACS+ to authenticate a user, as well as authorize the user to perform specific functions though the use of a role, all without needing to define each individual user in Panorama or on the firewall. This is exactly the same use case as RADIUS, it's just another (and much more secure) option for doing so.
... View more
04-19-2017
08:55 AM
1 Kudo
Brandon, Yes - in my example 'test' is a custom URL category that I used when I was validating this. The example I was working out was actually for a customer that required a redirect to a 3rd party web server for quarantining users, but you could just as easily use the script to update the DOM to display a completely different set of text / layout based on the URL category. Or you could do as your example pointed out and send users to different landing pages on your own web server. Pretty much anything you can do with javascript can be done in place of the redirect in my script...
... View more
04-17-2017
09:32 AM
3 Kudos
You can actually do this type of thing with a little javascript - here's an example script: <script type="text/javascript">
if ("<category/>" == "test") {
window.location="http://www.google.com";
}
</script> If you insert that in the <head> section of your response page, any traffic that matches the category named 'test' will redirect to www.google.com. You can also match on user, file, rule name, etc...
... View more
04-21-2015
09:52 AM
Regex is done in custom hardware, so it's not just a standard off-the-shelf engine, but for these purposes it's close enough to PCRE. In fact since you're just doing a string match simply using Automated_Clearing_House_transaction will work. I created and tested a signature with the following config: and it worked on a test url: The XML for the signature is: drogers@Captain.America# show threats vulnerability 42001 signature <signature> <standard> <entry name="ACH"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>Automated_Clearing_House_transaction</pattern> <context>http-req-uri-path</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>no</order-free> <scope>protocol-data-unit</scope> </entry> </standard> </signature>
... View more
04-21-2015
08:59 AM
For this case you will want to create a custom Vulnerability signature with a pattern match for string in the http-req-uri-path context.
... View more
09-20-2012
10:53 AM
I can think of a couple of options off the top of my head, but either will require a bit of extra work on the scripting side. 1) you could dump/query the ARP table on the AP when you get an auth/join message. I'm not familiar with the tools and APIs available on Ruckus so this may be easy or near impossible. 2) you could monitor your DHCP server as well and correlate the IP/MAC mappings it hands out. Also, what's the backend auth mechanism that your ruckus system is using? Any chance that system (ie a radius server) would log IPs?
... View more
09-18-2012
08:23 AM
2 Kudos
We plan to release coverage for this in today's content update (sig IDs 35017 and 35018). There's always a small possibility plans may change based on QA/soak testing, however I don't expect that to be the case. FWIW, questions of this type will probably get more attention over in the general support area - KnowledgePoint - than here in DevCenter.
... View more
07-05-2012
11:55 AM
Try changing the action to 'block-ip'. Block will only block the packet/session related to the violation, which doesn't work very well for attacks based on cumulative attempts.
... View more
07-03-2012
09:15 AM
When you get it working, please share a sanitized version on DevCenter!
... View more
07-02-2012
11:09 AM
The captive portal response page can only be a single page, however it might be technically possible to create that page with a javascript powered form that could add a user to the local DB. It looks like the API call you'd use would be this: /api/?type=config&action=set&xpath=/config/shared/local-user-database/user/entry[@name='joeuser']&element=<phash>$1$shsipcfw$qQcH/MlxYG1ucCdhTkkMs/</phash> Of course you'll notice that the above command contains a phash, which we can also generate via the API /api/?type=op&cmd=<request><password-hash><password>test</password></password-hash></request> Note that both of the above api calls work as-is if you are currently logged in to the firewall as a superuser. For a js form you wouldn't be, so you would need to generate an API key and use it in your calls. As always, even with obfuscation the API key is potentially extractable and could be used for other purposes, so it's best to ensure that this is only used in a trusted environment.
... View more
07-02-2012
10:43 AM
by the way, the insufficient-data log in the screenshot above is from an open bittorrent session that my new rules blocked. Everything related to pandora fell under the pandora rule, and all other web-browsing and ssl traffic went to the web-browsing rule.
... View more
07-02-2012
10:41 AM
It is easy! However I think perhaps there's some misunderstanding here on the use of URL categories as Policy Match criteria. By defining your rule this way, you are *restricting* it to URLs that match the streaming media category, not opening it up. If you remove the URL category, then the rule (allow pandora) will apply to any URL, including CDNs, ad servers, unknowns, or anything else Pandora relies on. I just mocked this up in my lab, and it works like a charm. Here are the 3 rues I created to apply to my VM: The first rue has a URL filtering profile that blocks the streaming media category. Here are the logs from successfully playing a pandora stream on the VM: Hope this helps.
... View more
06-30-2012
10:22 AM
Sounds about right - trying to manage Apps with URL categories tied to them is problematic. I'd take the URL category out of your Pandora rule and just leave the application control to AppID.
... View more
06-28-2012
09:44 AM
1 Kudo
In general, trying to control applications using URLs is problematic - it tends to work better for blocking apps than for allowing them. For example, in your particular case, blocking access to the pandora.com URL would obviously prevent users from using those services, but the converse is not true due to fun things like ad networks, CDNs, etc. (it's not at all uncommon for web2.0 apps to use dozens of URLs from numerous domains). We generally suggest controlling access to apps such as this via AppID only, as the AppIDs are much more granular and accurate than a single URL ever could be.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-02-2020
07:54 PM
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
