About Quinton

Quinton · ‎02-12-2015

Wireless is no problem. Are these devices part of the Windows domain?

Quinton · ‎02-05-2015

Sounds like the user is caching out. Nothing to do with the application. I'm assuming these computers are part of the domain since you do pick up the user initially through the user-ID agent. Did you enable "Server session monitoring" in the userID agent? Also is WMI probing enabled and working? Both these mechanisms will help keep the user to IP mappings fresh.

Quinton · ‎08-04-2014

I've tried creating a custom app as well. It seems like the built-in app-ID protocol decoders identify the application first and then skips my custom application all together. I guess the sequence of matching applications is first the pre-defined application database, then unknown apps are matched against any custom defined applications. App override works but that opens a huge whole in firewall by disabling DPI on the port range specified.

Quinton · ‎08-04-2014

If I'm not mistaken, technically a custom vulnerability signature should work regardless of source and/or destination ports. Key variable here is source IP which is constant (customer). Basically a security rule is created with the application specified as "bittorrent". The packets are handed over for content checking (vulnerability profile) once the rule matches a bittorrent session. So the custom vulnerability signature only checks the packets for the pattern specified in the custom vulnerability signature. It does not look at ports at all in the signature. So the action of the custom vulnerability filter (combination) is based on how many times the pattern was seen in x amount of time. The missing ingredient is access to the p2p context in the pattern match criteria in the PAN Web interface.

Quinton · ‎08-04-2014

Thanks Phil. What about only allowing bittorrent on a set amount of ports (<customer src ip>:[50000-55000]) and then do DOS on that? Kinda forces the torrent clients into a manageable "space"? QoS will work to a certain extent. You can still hit extremely high session counts on very little bandwidth. For example I can saturate the session table on a PA3020 with a 100 x 1Mbps customers all running bittorrent. Even if you QoS it down to 50Mbps or less on the PAN. QoS will drop individual packets in a session, but the sessions will stay open which is the problem. I'll check into caching out the bittorrent sessions quicker. Very seldom that a session idles in bittorrent. Caching out the sessions earlier might increase the TCP chatter of the bittorrent protocol trying to reestablish closed sessions.

Quinton · ‎08-01-2014

Hi devcenter I've been reading the document on Application DDoS mitigation techniques using vulnerability signatures ( Application DDoS Mitigation ). I've been experimenting with the concept of "session limiting" bittorrent connections in this manner. I can't get my signature to match though. Guessing it is because I need to use a p2p context in the signature and not unknown? Is there any way to get this to work? Or maybe some other technique that can be used to "session limit" bittorrent connections, not QoS using bandwidth statements. From an ISP perspective it would be advantageous to be able to "session limit" bittorrent connections using PAN - i.e. limit amount of active bittorrent sessions per ISP customer source IP. Bittorrent connections from a hundred odd customers each with couple Mbps per WAN link floods the session table on the PAN at very very low throughput. Almost 90% of the time the session table is filled with 80% bittorrent connections ("show session all filter count yes application bittorrent").

Quinton · ‎02-06-2014

I'll have a look at ms.log next time when I see the issue again. Thanks

Quinton · ‎01-30-2014

So far so good. Seems pretty solid. Only issue I found thus far is the dynamic content error when upgrading from 5.x to 6.0. The dynamic content page gives an error and it does not scan traffic for threats.

Quinton · ‎01-30-2014

Getting the same issue. Had it at two sites already. I manually upload and install the content package and leave the firewall for a bit. It seems to come right by itself... Nothing else worked

Quinton · ‎11-18-2013

What happens in the following situation: 1) Client goes home and connects via wireless to his wifi network at home 2) GP automatically establishes a VPN to the office and sets the GP tunnel as the default route (0.0.0.0/0 -> GP tunnel) 3) Client now connects a 3G dongle to his laptop and establishes a 3G connection. The 3G connection now installs a 0.0.0.0/0 -> 3G This would allow the client to access the internet without going via GP?

Quinton · ‎08-15-2013

Work perfect thanks

Quinton · ‎08-15-2013

Does anybody know what the commands are to view the current settings?

Quinton · ‎06-25-2013

Sorry was in response to your statement " Syslog server isn't a problem but as I remember that API uses administrator provilages of PAN, I wouldn't share that credentials ". I don't think you need PAN credentials if you use the user-id agent. The firewall API requires an username and password to upload user mappings. The software user-id agent running on a windows PC does not need PAN admin credentials to upload user mappings. You only need to configure the connection between the user-id agent and the firewall. The script extracts user to IP mappings and injects it to the user-id agent running on windows. Hope my explanation makes sense

Quinton · ‎06-25-2013

You could use user-ID XML API of User-ID agent on a windows PC?

Quinton · ‎06-19-2013

Another option could be Dynamic block lists?

Quinton · ‎06-19-2013

You could also use Dynamic address objects? Your script basically updates a txt file stored on some http server. This txt file contains a list of IP addresses you extracted from Splunk. Then you define a dynamic address object in PANOS referencing this txt file. The dynamic address object can then be used in your security rules as a source address or destination address.

Quinton · ‎06-19-2013

Nice to have: Ability to select the threat action from a threat log message - i.e. If a threat is logged ("alert"), the administrator can open the threat log and select a new action such as "block" or "reset" etc. The new action is updated in the corresponding threat profile. MUST HAVE: SSD's for the win!!! :smileycool: all models

Quinton · ‎04-22-2013

GP for iOS and Android requires a gateway license

Quinton · ‎03-19-2013

What XML files are you referring to and where are they located?

Quinton · ‎03-18-2013

Yes works great. Just need to do a couple of things. 1) You need a CA to issue certs. The Palo firewall can act as a CA if you don't have one 2) Then you need to configure a certificate authenication profile 3) Next configure both the portal and the gateway to use the certificate authentication profile 4) You will also need to install the client certificate on the client PC This will allow you to have 2 factor authentication.

Quinton · ‎03-18-2013

You'll first have to upgrade to the PANOS 5 base image - i.e. 5.0.0 first then 5.0.3. My experience so far with 5.0.2 and 5.0.3 is great. No issues seen thus far. The built-in agentless User-ID is a nice addition. Overall the performance is much better in terms of commit times, generating reports and searching the logs.

Quinton · ‎03-13-2013

You could maybe do a custom report which includes the column "quarter hour" and "count". This could give you an idea of which IP's are hitting Google and how many times per 15 minutes. You'll have to add multiple IP's in the query builder for Google since Google does some sort of DNS inbound load balancing. Non-authoritative answer: Name: www.google.com Addresses: 2c0f:fb50:4002:801::1013 74.125.233.82 74.125.233.83 74.125.233.81 74.125.233.84 74.125.233.80

Quinton · ‎03-13-2013

We upgraded some of our end users to PAN-DB from Brightcloud. You need to request an upgrade from URL2 to URL4 I think. Technically it should zero out on the invoice since the transaction is done pro rata. It can be done at any point, as long as the Brightcloud license is valid of course

Quinton · ‎03-13-2013

Does it improve on commit times? Also does it improve the speed at which reports are generated?

Quinton · ‎03-13-2013

Nice work man. Busy reading. Saw something in your file blocking profile that can be configured differently to ensure that only the correct file types are forwarded to Wildfire - I believe the correct file type for Wildfire is "PE". This of course includes .exe and .dll.

Quinton · ‎03-13-2013

It does not look like the error is related to certs imo... It seems like the GP agent cannot connect to the GP gateway IP on E1/1 after authenticating to the portal on E1/4 - there is no asymmetrical routing issue here. Seems like a sensible config since the portal only pushes down settings to the GP client and then "quits". The GP agent then decides which gateway to connect to based on the settings pushed down from the portal. Thus there cannot be a asymmetrical route issue since the portal and gateway are not linked in anyway. As you mentioned, changing the portal from E1/4 to E1/1 causes it to fail as well. How about trying to setup the GP portal and gateway on E1/4 as a test?

Quinton · ‎03-06-2013

On box CSR generation is implemented and working in PANOS 5.x

Quinton · ‎10-09-2012

I'm interested in those Zabbix templates thanks. Would you mind posting them?

Quinton · ‎10-01-2012

Just for interest sake try flushing the session table and retest - "clear session all"

Quinton · ‎09-16-2012

The Microsoft link by Shashank helped thanks. Turns out WinXP SP2's HTTP engine does not support a required SSL function for client <> server cert exchange. Updating to WinXP SP3 sorted the issue.

Date Registered	‎04-16-2012 02:33 AM
Date Last Visited	‎09-12-2016 02:13 AM
Total Messages Posted	66
Total Likes Received	17

Online Status	Offline
Date Last Visited	‎09-12-2016 02:13 AM

Strata

Prisma

Cortex

About Quinton