Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About Dpeters1
About Dpeters1
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
yesterday
26Posts
8Likes
0Solutions
Dec 03, 2020Last Visited
User
Activity
User
Profile
Latest posts by Dpeters1
| Subject | Views | Posted |
|---|---|---|
| 50 | yesterday | |
| 73 | yesterday | |
| 102 | yesterday | |
| 707 | 02-10-2017 02:53 AM | |
| 1274 | 02-10-2017 02:36 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 02-10-2017 02:53 AM | |
| 1 | 04-10-2014 06:03 AM | |
| 1 | 04-10-2014 03:35 AM | |
| 1 | 04-10-2014 05:10 AM | |
| 4 | 04-08-2014 12:01 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 3 |
User Badges
Public Statistics
| Date Registered | 05-30-2012 09:18 AM |
| Date Last Visited | yesterday |
| Total Messages Posted | 26 |
| Total Likes Received | 8 |
yesterday
Hello again, managed to cram an hour of tinkering into the end of the day. Not quic. it's blocked at the firewall with an app rule, i also disabled quic in the chrome browser to rule it out totally. However, did make some progress, looking like the http2 decoder on the firewall. We had some similar issues with totally different sites ages ago when 9.0 first came out. (feels like a lifetime ago now) Created an inspection profile with the strip ALPM option checked, this functionally disabled http2 and forces it down to plain old http. Have put in a decrypt rule with URL a custom URL category only containing www.google.com and this option enabled. seems to have fixed it. I wonder if the OP has the same issue, would be cool to hear! Will see how it goes, also going to do some rummaging around and see if it's an issue at other locations and the users just haven't reported anything. Certainly dont see it where I am, but we're PANOS 10.0.2 pilot site!
... View more
yesterday
very true, and a good shout. I'm 99% certain it's blocked on this deployment but could be slipping through the net or getting borked in some way ! I'll check that too. thank you!
... View more
yesterday
Did you get anywhere with this? I've got the same situation at one location, 9.1.5, so probably not firmware related. I found if you disable TLS inspection for a test user/computer the issue goes away, so probably something to do with inspection/decoders. Going to do some more investigation tomorrow. I did some PCAPs and it's very strange, there's just a massive delay in the response, but nothing actually dropped or blocked by the firewall.
... View more
02-10-2017
02:53 AM
1 Kudo
Good Morning, I'm lucky enough to work with a few early adopters and have PANOS8.0 running in several production locations on VM and 3000 series appliances. So far, business as usual with the "old" feature set.... I've now setup Credential Protection on two of these sites, using the RODC method to spot username/password combos, rather than just username. The username only method seemed a little too wide a net to cast. Anyway, it's up and running, but I was hoping some others may be running it too so we could compare notes? My initial findings.. 1) Obviously needs SSL inspection setup and working for all the URL categories you want to inspect for credentials 2) RODC's aren't that complex, but read the notes about groups allowed to sync to the RODC, if they dont sync, it wont work! 3) RODC's seem limited to 1500 sets of cached credentials? Interested in thoughts on how to scale out with domains with many 1000's of users 4) For my testing I used a domain account and typed those credentials into a variety of locations, facebook, linkedin, salesforce, google, outlook.com, several random websites. 5) Every single one was captured by the firewall 6) The continue page seems to use https://IPADDRESSOFWEBSITE:PORT/SOMEOTHERSTUFF, which causes an untrusted certificate error for the user 7) Block and Alert work fine 😎 in production (alert only) Had some false positives for google ads and some referal tracking links, checked with users who can be trusted and they are defintely NOT reusing corporate credetials. 9) Also had some false negatives in testing with the rest of the IT team, intentionally entering domain credentials into website and it doesnt catch them. So in summary, looks VERY promising, but perhaps a few rough edges or some best practice guidance for reducing false positives would be very useful. I dont feel comfortable putting into full production with block pages just yet, but it is providing some useful information. Over to you community!
... View more
02-10-2017
02:36 AM
If you can afford large enough appliances for your throughput requirements, get it done! Huge amount of visbility and control is then at your fingertips. Do check the ARP table limitations of your appliance(s) though, ensure you dont have more hosts than the firewall can handle.
... View more
04-16-2014
03:46 AM
Found this.. 53258—Authenticating access to a file share folder hosted outside of the Active Directory domain was causing the firewall to change the User-IP Mapping to the username and password used to authenticate to the file share folder hosted outside of the Active Directory domain, instead of the Active Directory username and password. Resolved in 5.0.11 So I'll be giving that a try!
... View more
04-16-2014
03:32 AM
Thanks for that... I might be reading it wrong but doesn't it say that was addresses/fixed in 5.0.7 ? Unless it wasn't rolled into 5.0.8 for some reason... Does look very similar though. I'll give a later build of 5.0.x a whirl today and see what happens!
... View more
04-11-2014
04:38 AM
Hi, I've recently seen this a couple of times on completely separate firewalls / AD infrastructures (a 2050 cluster and a 3020 cluster, both running 5.0.8). User ID is setup and working fine along with LDAP group mapping However on the odd occasion users report applications or URL categories blocked that should be allowed. It often "goes away" again soon. I spotted in the URL and Traffic logs, the user is (for short periods) identified just as USERNAME, rather than DOMAIN\USERNAME... This of course does not match rules with usernames specified in them. Any ideas why it may drop the domain name occasionally? Thanks Dave
... View more
Labels:
- Labels:
-
Troubleshooting
-
User-ID
04-10-2014
06:35 AM
no probs Should mention, if you have medium severity threats set to alert in the profile, make sure that the rule for heartbleed is above this! you can shuffle the ordering around in the vuln' protection profile.
... View more
04-10-2014
06:34 AM
I've had problems installing on some 2020 appliances, (3020's have been fine).. I've put it down to crappy management plane resources. try from the cli... request content check then request content upgrade download latest then request content upgrade install latest show jobs id xxxx to see the progress of any of these. Seemed to work for me..
... View more
04-10-2014
06:03 AM
1 Kudo
Just used heartbleed in the threat name on the rule in the Vuln' protection profile and set the action to block This forces traffic to be dropped for the "medium" severity threats related to heartbleed in the 430 update. Effect from one of the online tests will be a timeout and you'll get an event in the threat log. The target system MUST be vulnerable to trigger these signatures, if you've already patched it you wont see anything in the logs.
... View more
04-10-2014
05:10 AM
1 Kudo
Thank you! Got it all working perfectly now at several locations. I also created a custom rule to block/drop those medium severity signatures in the latest update, this results in the online tests failing too (malformed response) to give clients some extra peace of mind. Seeing a large number of IPs from China trying to exploit this! Several days of replacing SSL certificates ahead of me now!
... View more
04-10-2014
03:35 AM
1 Kudo
Are you performing SSL inspection? Still trying to work out if this is required to catch this vulnerability with IPS... Depends if it happens inside an establish TLS tunnel or in clear text I suppose?
... View more
04-08-2014
12:01 PM
4 Kudos
Anyone spoken with support about a Vulnerability Protection signature update to catch this? Or has anyone managed to create a custom signature?
... View more
05-14-2013
10:37 AM
Precisely my thoughts... not keen on using this in production at all! Thanks for the confirmation. regards Dave
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
