This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About RepartoSistemi
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About RepartoSistemi
02-25-2022
10Posts
0Likes
0Solutions
Feb 25, 2022Last Visited
User
Activity
User
Profile
Latest posts by RepartoSistemi
| Subject | Views | Posted |
|---|---|---|
| 2240 | 09-11-2017 03:58 AM | |
| 2257 | 09-08-2017 08:16 AM | |
| 2838 | 04-28-2017 07:52 AM | |
| 2329 | 05-24-2016 12:27 AM | |
| 7693 | 05-20-2016 12:22 AM | |
| 7705 | 05-19-2016 08:29 AM | |
| 7717 | 05-19-2016 03:37 AM | |
| 7871 | 05-17-2016 08:02 AM | |
| 7875 | 05-17-2016 07:47 AM | |
| 8920 | 05-17-2016 07:12 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes |
User Badges
Community Statistics
| Member Since | 05-17-2016 06:49 AM |
| Date Last Visited | 02-25-2022 06:51 AM |
| Posts | 10 |
09-11-2017
03:58 AM
Yes "SSL/TLS failback" is the best solution, but not resolve my problem. Our company have a youtube channel where trasmit some LIVE events....and the internal users that want watch live events must have the Resctricted Mode = off (this a youtube policy). This is a loop. If enable Safe Search Enforcement for youtue, I cannot watch live events but respect my company security policies. then disable Safe Search Enforcement for youtue, I can watch live events but I'm out of company sec.pol. ..sob
... View more
09-08-2017
08:16 AM
On a rule with open the following service: - service-http - service-https - udp-443 and with URL Filtering profile where is enabled Safe Search Enforcement if a user use Chrome, and set up Resctricted Mode = off in youtube site, he can see any type of video without any problem. If I remove udp-443 and force the Chrome failback on SSL/TLS, if set up Resctricted Mode = off in youtube site, Palo Alto deny the visualizzation for all type of video. Someone know a workaround ?
... View more
04-28-2017
07:52 AM
This configuration it's for a very particular case on my site. I have three links with two ISP (for example: ISP1a,ISP1b,ISP2) I cannot annunce at the same time my entire class over ISP1a and ISP1b for two reason: 1) BGP loop problem 2) For ISP commercial reasons only one line can transport traffic at time. I want: Annunce my entire class over ISP1a,ISP2 with two different local preference. Only in the case BOTH link (ISP1a,ISP2) failure, start to annunce my entire class to ISP1b. It's possible with Palo Alto ? How? Regards Max
... View more
05-20-2016
12:22 AM
Sorry I had atteched a worg file, this is the current signatures xml.
... View more
05-19-2016
08:29 AM
I try combination of:
-both CONDITION in OR or in AND
-SCOPE as Transaction or Session
-Context Unknown-req-tcp-payload or telnet-req-client-data
-Ordered Condition Match flagged or not flagged.
... View more
05-19-2016
03:37 AM
Ok RCole, I went in deep.
After change the signature Palo Alto recognize logoff process as Cisco Jabber (cti_cisco) application, but for the login process the result is "insufficent-data".
Summary of example transaction:
CISCO Jabber logoff => tcp.src 51084 tcp.dst 2748
CISCO Jabber login => tcp.src 51351 tcp.dst 2748
thake a look of this picture:
And you know something even stranger?
Take a look on the logoff/login process from the following tcpdump:
On the logoff process we dont have any byte like our singature, and this is RECOGNISED as cti_cisco, instead on the login process we have some byte equal the singature, and this is NOT recognized, it's insufficend-data.
?????????
Crazy! I get hold of the wrong end of the stick ?
... View more
05-17-2016
08:02 AM
Ok bypass the limitation
-Download this file.
-Rename it to download.rar
-Exctract two file (a unusefull jpg, and the dump file)
The dump it's take from my Desktop (192.168.3.117) when jabber login to remote server (192.168.32.40)
I send only the first transaction packet because inside the other packet I have in cleartext some reserved information.
Regards
Max
... View more
05-17-2016
07:47 AM
Yes it's possible, but I cannot attach the pcap file on my post. Perhaps a account limitation ?
... View more
05-17-2016
07:12 AM
Hi, I try to create a custom signature for Jabber CTI (http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90_chapter_01.html) running on port 2748.
The packet dump give me this result for the client request:
5e 00 00 00 00 00 00 00 dd dd ff ff 00 00 0f 00 ^....... ........ 36 01 00 00 20 00 00 00 24 00 00 00 22 00 00 00 6... ... $..."... 01 00 00 00 44 00 00 00 0b 00 00 00 4f 00 00 00 ....D... ....O... 04 00 00 00 53 00 00 00 07 00 00 00 5a 00 00 00 ....S... ....Z... 0c 00 00 00 55 43 50 72 6f 76 69 64 65 72 00 31 ....UCPr ovider.1 2e 30 00 53 68 69 62 75 69 00 43 69 73 63 6f 20 .0.Shibu i.Cisco 4a 54 41 50 49 00 JTAPI.
and I want to intercept the string " UCProvider 1.0"
I tried with a signatures with:
parent App: jabber
port: tcp/2748
Signature: Pattern Match
Scope: Session (also I tried with Transaction )
Context: unknown-req-tcp-payload (also I tried with unknown-rsp-tcp-payload )
Pattern: follow all the patterns that I've tried, one for a time...
UCProvider 1.0
\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x
BUT NOT WORK everytime unknown-tcp or insufficent-data result on traffic monitor
How can resolve this problem without write a policies with any in application and a custom service (tcp/2748) ???
thank you
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks