Hulk, Yes it correct what your saying and with the answer of ssharma it looks like this now: --- URL filtering database ( Bright Cloud or PAN DB) for categorization. --- Application & Threat database & PAN DB for Vulnerability/DNS signature checking. --- Antivirus database for virus /ANtispyware checking. Regards, Osman Bor
... View more
We are using the BrightCloud URL DB for URL Filtering. Last week we had discovered an issue that users can’t access the URL http(s)://www.haalmeeruitjecard.nl Searching the PaloAlto we see that is not blocked by the URL Log. BrightCloud says as URL Category “business-and-economy” and that is allowed. Still the session can’t be setup and we did not see any block page at all. Further looking we discovered that is blocked by the Anti-Spyware Rule with the Suspicious DNS Query action. We block Suspicious DNS Query query’s. In the Thread log was reported : Suspicious DNS Query (www.haalmeeruitjecard.nl)!! Uuh this is a normal site here in the Netherlands. So is it the Threat DB that this is causing??? NO, found out that the URL is marked in the PAN-DB Url Database as malware. Requested a change for Pan-DB and after this was changed we had no more Suspicious DNS Query’s for this url. URL: www.haalmeeruitjecard.nl Previous category: malware You suggested: financial-services New category: financial-services The new categorization is available starting with URL DB version: 2014.09.22.221 Does this mean that the PaloAlto Device is using both URL database’s to provide protection? Is it than maybe better to migrate to PAN-DB URL Database so that all information is provided from 1 DB? Thanks for your responses. Osman Bor
... View more
yes, we are running version 391. But we managed To gather more info and we only see these log when users visit the salesforce.com website. Salesforce is an appid, and no salesforce app detection but SSL app detection and wrong URL and category. maybe this info can help.
... View more
yes, these sites are still categorized as "private-ip-addresses" with in version 391. I have already cleared my url cache and dynamic host cache.
... View more
I was aware of the problems with 390 and a few hours ago we have upgraded to 391 and we have still these url logs. Thats why i posted this to ask if more people have the same issue. So it seems that 391 is still having this issue. Thanks for all responses.
... View more
What's wrong with the URL filtering and logging of the PaloAlto FW? We have many URL logs like '%16%03%01/' when users visit SSL websites. Is URL detection for SSL websites broken? Are there other users who have this problems? We are not 100% sure but it seems this log happens only when Internet Explorer 8 is used. But still investigating Regards, O. Bor
... View more
Hello, We are running version 5.0.6 for a few weeks now and looks very good. We see now also in our threat detection the following threat "Suspicious DNS Query : ......" and this is blocked. This is very cool to block at dns level spyware and malware but the disadvantage of this is that the source client ip address is always your DNS server. So you need to look in to your logs of your DNS Server to find out the infected client. But if you have a distributed DNS infrastructure and many DNS Servers spread over several location in Europe then this a hard job to do. Why is it not possible to redirect Suspicious DNS Query's to a honeypot IP address so you can then detect the real client's ip address? Maybe a future request!! Or does someone have a better idea how to deal with this issue? maFor us monitoring all the DNS servers log is not a option because we have so many DNS Servers spread over many locations. Regards, O. Bor
... View more
Hi, I was wondering if there are any plans or a method how to detect Office 365 traffic? We have no URL scanning license on the box, so we depend on the App detection method. Because all traffic is a SSL connection, PaloAlto reports the traffic as general SSL Application. Many thanks for any suggestion about my issue.
... View more