This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About JTR
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About JTR
08-18-2015
31Posts
2Likes
0Solutions
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by JTR
| Subject | Views | Posted |
|---|---|---|
| 2707 | 03-17-2014 09:45 PM | |
| 6756 | 10-10-2013 01:39 AM | |
| 7265 | 10-06-2013 07:46 PM | |
| 7518 | 10-01-2013 06:18 PM | |
| 5595 | 09-06-2013 12:05 AM | |
| 3559 | 09-05-2013 11:32 PM | |
| 5699 | 09-05-2013 10:27 PM | |
| 3397 | 09-04-2013 09:58 PM | |
| 3558 | 09-04-2013 07:41 PM | |
| 3801 | 08-30-2013 03:49 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 06-18-2013 10:36 PM | |
| 1 Like | 05-14-2013 11:48 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 05-01-2012 09:20 PM |
| Date Last Visited | 08-18-2015 09:07 AM |
| Posts | 31 |
| Total Likes Received | 2 |
03-17-2014
09:45 PM
Hello, guys~ One of my customer want to know whether the Pan block web shell or shell script. In my opinion, there's no ips which can block those attacks 100%. Threat prevention of the PA is signature base also, which means if it detects well-known web shell, it might block it. If not, it can't. It's sure that web shell is based on web server application vulnerability or miss configuration. So the basic method to block those attack is secure cording or secure configuration of the web server. But I need to tell the customer the exact information about PA's function. Please don't mention custom signature, there's not so much customer who can make custom signature :smileygrin: Thank you very much.
... View more
10-10-2013
01:39 AM
Really thank you for your kind reply. I have one more question about flow logic. Below red square area. Does this red square means.... 1. PA ignore application category in security policy by setting the app category value from 'something' to 'any'. In the below picture, PA set rule1's application category from 'web-browsing' to 'any', and then do security policy lookup and find out rule2. After PA find out rule2 , PA makes session table , then do the application-ID, then block the 'web-browsing' by using rule1. OR 2. PA checks whether there's any security rule which has 'any' value in app category. In below picture, PA do security rule lookup which has 'any' value in its Application category and find rule2, then setup the session table,and do the App-ID, finally block 'web-browsing'. What does the PA exactly do in the red square process?
... View more
10-06-2013
07:46 PM
Really Thanks Phil. Actually I'm very confused. Do you mean that I shouldn't use URL category in security policy just for blocking some specific URL? Let say I want to block 'www.google.co.kr' URL with custom category in security policy. Are you saying that this is not a good example? It worked just like I make some url profile with google site blocked in black list. Regards,
... View more
10-01-2013
06:18 PM
Hello, Guys, I have one question. First below is the packet flow from "Packet Flow.pdf" document. According to this document ... In the red square, before PA make session table, it checks packet's ip and port (like the legacy L4 firewall), and then after the session created, it check Content, APP-ID. So I made this rule(URL Block). According to packet flow.pdf, 'URL Block' rule should check packet's ip and port first and then should block those packet. >> Am I right? That means that the packet would never go Contents-ID, and APP-ID process. And URL filtering happens in Content ID process. According to the document ,the session should never be created. But in my lab test, it worked fine as the rule made (It worked like as if I used URL filtering profile. If I use URL filtering profile, the action should be 'allow' in security rule, and 'block that category' in url filtering profile.) I just wondering, then what's the difference between in Security policy and Security Profile URL filtering. And I want to hear your opinion. It would be very appreciated if you point out what's my mis-understading. Thank you very much.
... View more
09-05-2013
11:32 PM
Thank you mikand, wish you have a good luck!!
... View more
09-05-2013
10:27 PM
Hi Guys According to document , if there's destination NAT , there'll be second routing lookup to decide outbound zone & interface. But I'm very confused when there's routing and PBF together, In the second routing lookup, how does PBF rule work? Does PBF work based on Pre-NAT destination address or Post-NAT destination address? According to document at the second lookup process works based on POST-NAT destination address, that means if the routing table works fine, it should follow routing table lookup result. But in my customers networks it doesn't look like that.. Using PBF and U-Turn NAT together is really kind of a mess. Thank you very much.
... View more
Labels:
- Labels:
-
Networking
09-04-2013
09:58 PM
Really Thanks HULK, It was very useful. :smileygrin: Have a nice day.
... View more
09-04-2013
07:41 PM
Hi guys, I've found out that our customers PA keeps high management cpu usage, and it seems that this process use most of the resource. what's the 'appweb3' process and why the user is 'nobody'? Is there somebody who can explain this?? Thank you very much ahead.
... View more
Labels:
- Labels:
-
Management
08-30-2013
03:49 PM
Thanks you guys, I think it's not only the PAN's issue. Can I understand that there's no other device which can do this? White list might be a good idea, but it's too hard to sort ssl proxy ips.
... View more
08-30-2013
08:42 AM
Hello guys I'm trying to block some traffic originated from other country. PAN can block those traffics with its source address and regional info. But what if they use some kind of proxy(like ultra surf) to disguise its original source ip and change its ip to domestic ip , and what if they use ssl proxy? If that ssl server is in my country, its source ip will be change to domestic one. PAN can block proxy application originated from its internal network, but it seems hard to block proxied traffic originated from out side area. Do you have any solution for this? Thank you very much. :smileygrin:
... View more
Labels:
- Labels:
-
App-ID
07-03-2013
07:52 PM
CC Attack means Challenge Collapsar Response attack. In south Korea we call this 'Cache-control attack' . To make combination signature we need basic signature. This is my custom signature 41023 which block cache control message based on threshold value. So far I couldn't find any signature for Challenge Collapsar. So I made custom signature for this attack. I used my custom signature 41111 to make custom signature 41023 (combination signature working on threshold value). As you might know, the problem is signature 41111 work before 41023.. you guys have any solutions?? Regards
... View more
06-21-2013
12:07 AM
Dear My Lovely Roh.. Can you send me the custom signature information that you used for the BMT? :smileygrin: Thanks ahead..
... View more
06-19-2013
12:34 AM
I've found one IPS signatures which can block HTTP Slowloris attack.. :smileygrin: Attack Name HTTP: Apache Denial Of Service Attempt Description This event indicates that someone want to exhaust the apache resources, as described by slowloris. Threat ID 40018 References https://threatvault.paloaltonetworks.com/Home/ThreatDetail/40018 Severity high Category brute-force
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-18-2015
09:07 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks