About Dpeters1

Dpeters1 · ‎12-21-2020

Thanks for keeping us updated on your TAC case. I'd have raised one but frankly couldnt face it, already got a couple of super weird bug cases open that are taking forever to get to the bottom of! 🙂 The content update didn't help for me unfortunately.

Dpeters1 · ‎12-18-2020

@jmurphy on the firewall, the decoders for various protocols are updates as part of apps and threats updates, and as luck would have it... todays apps and threats has an updated http2 decoder... we had issues with this on different web sites back in 9.0 or 9.1 (feels like a million years ago now) and an updated decoder fixed the issues. that said we're on 10.0.2 now for our main site, and that hasn't been affected. still stumped as to how its not a consistent issue across locations and firewalls.

Dpeters1 · ‎12-10-2020

No, I wasnt able to re-produce in other browsers, although I didn't really try very hard, 99% over browser use is chrome. I've ended up adding a few youtube URLs and some related google video URLs to our "strip ALPN" url category, youtube videos were being very slow to buffer. all a bit ironic really, HTTP/2 is support to be faster than 1.1 🙂 PLEASE PLEASE PLEASE let us know the outcome of your TAC call, I anticipate that we'll see an updated HTTP2 decoder in a future content update. Speaking with some colleagues, they've seen the exact issue but with unrelated websites quite some time ago, and an updates HTTP2 decoder resolved the issue.

Dpeters1 · ‎12-08-2020

Ouch, bad times. Such a weird issue how it's so intermittent between deployments. Have you tried the strip ALPN option on your decrypt profile ?

Dpeters1 · ‎12-04-2020

I think if you allowed quic, chrome would default to that for comms to google services (unless explicitly disabled in the browser settings), so that would also mitigate the issue, but you'd lose content control over all that traffic as the NGFW cant look inside quic at all. I've always blocked quic on all our deployments for as long as I can remember. Well, there's 2 or 3 of us with it on the thread with the issue now! 🙂 Tried hard to recreate in 10.0.2, cant do it. I've checked a location with 9.0.9, doesnt seem to do it their either, this ones a different client so slightly different policy setup, they were actually allowing quic, blocked it, still all working fine. so strange, seems movable... they're all on the same apps/threats which includes the decoder updates. anyway feel like raising a TAC case? 😉

Dpeters1 · ‎12-03-2020

Hello again, managed to cram an hour of tinkering into the end of the day. Not quic. it's blocked at the firewall with an app rule, i also disabled quic in the chrome browser to rule it out totally. However, did make some progress, looking like the http2 decoder on the firewall. We had some similar issues with totally different sites ages ago when 9.0 first came out. (feels like a lifetime ago now) Created an inspection profile with the strip ALPM option checked, this functionally disabled http2 and forces it down to plain old http. Have put in a decrypt rule with URL a custom URL category only containing www.google.com and this option enabled. seems to have fixed it. I wonder if the OP has the same issue, would be cool to hear! Will see how it goes, also going to do some rummaging around and see if it's an issue at other locations and the users just haven't reported anything. Certainly dont see it where I am, but we're PANOS 10.0.2 pilot site!

Dpeters1 · ‎12-03-2020

very true, and a good shout. I'm 99% certain it's blocked on this deployment but could be slipping through the net or getting borked in some way ! I'll check that too. thank you!

Dpeters1 · ‎12-03-2020

Did you get anywhere with this? I've got the same situation at one location, 9.1.5, so probably not firmware related. I found if you disable TLS inspection for a test user/computer the issue goes away, so probably something to do with inspection/decoders. Going to do some more investigation tomorrow. I did some PCAPs and it's very strange, there's just a massive delay in the response, but nothing actually dropped or blocked by the firewall.

Dpeters1 · ‎02-10-2017

Good Morning, I'm lucky enough to work with a few early adopters and have PANOS8.0 running in several production locations on VM and 3000 series appliances. So far, business as usual with the "old" feature set.... I've now setup Credential Protection on two of these sites, using the RODC method to spot username/password combos, rather than just username. The username only method seemed a little too wide a net to cast. Anyway, it's up and running, but I was hoping some others may be running it too so we could compare notes? My initial findings.. 1) Obviously needs SSL inspection setup and working for all the URL categories you want to inspect for credentials 2) RODC's aren't that complex, but read the notes about groups allowed to sync to the RODC, if they dont sync, it wont work! 3) RODC's seem limited to 1500 sets of cached credentials? Interested in thoughts on how to scale out with domains with many 1000's of users 4) For my testing I used a domain account and typed those credentials into a variety of locations, facebook, linkedin, salesforce, google, outlook.com, several random websites. 5) Every single one was captured by the firewall 6) The continue page seems to use https://IPADDRESSOFWEBSITE:PORT/SOMEOTHERSTUFF, which causes an untrusted certificate error for the user 7) Block and Alert work fine 😎 in production (alert only) Had some false positives for google ads and some referal tracking links, checked with users who can be trusted and they are defintely NOT reusing corporate credetials. 9) Also had some false negatives in testing with the rest of the IT team, intentionally entering domain credentials into website and it doesnt catch them. So in summary, looks VERY promising, but perhaps a few rough edges or some best practice guidance for reducing false positives would be very useful. I dont feel comfortable putting into full production with block pages just yet, but it is providing some useful information. Over to you community!

Dpeters1 · ‎02-10-2017

If you can afford large enough appliances for your throughput requirements, get it done! Huge amount of visbility and control is then at your fingertips. Do check the ARP table limitations of your appliance(s) though, ensure you dont have more hosts than the firewall can handle.

Dpeters1 · ‎04-16-2014

Found this.. 53258—Authenticating access to a file share folder hosted outside of the Active Directory domain was causing the firewall to change the User-IP Mapping to the username and password used to authenticate to the file share folder hosted outside of the Active Directory domain, instead of the Active Directory username and password. Resolved in 5.0.11 So I'll be giving that a try!

Dpeters1 · ‎04-16-2014

Thanks for that... I might be reading it wrong but doesn't it say that was addresses/fixed in 5.0.7 ? Unless it wasn't rolled into 5.0.8 for some reason... Does look very similar though. I'll give a later build of 5.0.x a whirl today and see what happens!

Dpeters1 · ‎04-11-2014

Hi, I've recently seen this a couple of times on completely separate firewalls / AD infrastructures (a 2050 cluster and a 3020 cluster, both running 5.0.8). User ID is setup and working fine along with LDAP group mapping However on the odd occasion users report applications or URL categories blocked that should be allowed. It often "goes away" again soon. I spotted in the URL and Traffic logs, the user is (for short periods) identified just as USERNAME, rather than DOMAIN\USERNAME... This of course does not match rules with usernames specified in them. Any ideas why it may drop the domain name occasionally? Thanks Dave

Dpeters1 · ‎04-10-2014

no probs Should mention, if you have medium severity threats set to alert in the profile, make sure that the rule for heartbleed is above this! you can shuffle the ordering around in the vuln' protection profile.

Dpeters1 · ‎04-10-2014

I've had problems installing on some 2020 appliances, (3020's have been fine).. I've put it down to crappy management plane resources. try from the cli... request content check then request content upgrade download latest then request content upgrade install latest show jobs id xxxx to see the progress of any of these. Seemed to work for me..

Member Since	‎05-30-2012 09:18 AM
Date Last Visited	‎12-22-2020 04:49 AM
Posts	31
Total Likes Received	9

Online Status	Offline
Date Last Visited	‎12-22-2020 04:49 AM

About Dpeters1

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Corporate Credential Submission / Phishing protection in PANOS 8.0

Re: OpenSSL Heartbleed bug: CVE-2014-0160

Re: OpenSSL Heartbleed bug: CVE-2014-0160

Re: OpenSSL Heartbleed bug: CVE-2014-0160

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: OpenSSL Heartbleed bug: CVE-2014-0160

Re: OpenSSL Heartbleed bug: CVE-2014-0160

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Re: Slow Google searches on 9.0

Corporate Credential Submission / Phishing protection in PANOS 8.0

Re: PANs as internal routers?

Re: User-ID sometimes missing ntlmdomain\ on the firewall

Re: User-ID sometimes missing ntlmdomain\ on the firewall

User-ID sometimes missing ntlmdomain\ on the firewall

Re: OpenSSL Heartbleed bug: CVE-2014-0160

Re: OpenSSL Heartbleed bug: CVE-2014-0160

Network Security

Cloud Security

Security Operations

About Dpeters1