About lwheelock

Is the end goal to limit the bandwidth consumed by bittorrent traffic? Session based limits of BT peer connections wouldn't give you as much control over the consumption of bandwidth since a few peers could have high throughput available and it wouldn't scale if you had a sudden increase in BT users.   I would probably look at a QoS policy to limit the max rate of BT traffic. You can apply the QoS profile to a rule specific to BT traffic and even apply it to specific users if you wanted to.    If you are hard set on session limits, I would create a separate service for your BT allow rule that included >1024 and then apply a DoS policy to that service. It should only match on the rule it's used in. I'd name it BT-Ports or something similar so it was obvious why it was created separately.  ... View more

Since amplification attacks are typically fragmented UDP packets one option would be to enable zone protection on your Internet facing interface(s). Selecting 'Fragmented Traffic" and/or configuring UDP flood parameters in a zone protection profile and applying it to these interfaces will drop UDP DNS fragments commonly used in amp attacks. I don't recommend using this profile internally unless you've determined if your own DNS implementations are configured correctly. This avoids having to block a specific record type altogether while still dropping the attack traffic. It will also drop UDP responses from resolvers that are not configured to truncate responses 512+ bytes and resume over TCP. ... View more

You're welcome, glad it worked for you! In case you need it, the pattern I'm using is broken down like so. .com \x03 63 6f 6d 00 00 01 00 01\x 03 - Indicates the TLD is 3 bytes 63 6f 6d - com 00 - end of host query 00 01 - A record 00 01 - class IN .ru \x02 72 75 00 00 01 00 01\x 02 - Indicates the TLD is 2 bytes 72 75 - ru You've got the rest. ... View more

My first thought here is to create a custom vulnerability object using a pattern-match on the query. Then make the default action to drop the packet and apply the vulnerability object to a rule (through a new profile or non-default profile). However, custom vulnerability objects using pattern-matching require 7 fixed bytes of data. For example, a DNS query for record type A class IN only contains 4 bytes (0x00010001) in the "dns-req-section" context. So we have a problem, we don't have enough data to pattern-match against for specific record type. Question: Can we use bytes immediately before or after the data we care about to help us out? Maybe. The A record request would typically not contain additional RRs (at least none we can reliably pattern match) so after the query, there is no data to match on. We could match on data before the type A class IN, but then we have to know what the actual query would be (ie. the host, subs, domain, and tld.) There is a compromise if you wouldn't be opposed to some tedium. Within the custom vulnerability object you can create multiple signatures, each that include just the common TLDs (com, org, gov, info). There is a fairly detailed write-up of creating custom threat signatures and I'll also provide an example: Creating Custom Threat Signatures Creating the Object On the device or Panorama go to 'Objects' -> 'Vulnerability' under custom objects. Click 'Add' Give it a Threat ID, Name, Comment etc. I'd just be sure to make the severity 'high' or greater and select 'Drop Packets' as the default action. Click on the Signatures tab. Standard is what you want. Click Add to add a new signature Creating the Patterns You'll want it to be 'Transaction' based and the order shouldn't matter since I'd create 'OR' conditions for different TLDs Add Or Condition (for .com A record queries) Operator - pattern-match Context - dns-req-section Pattern - \x03636f6d0000010001\x Repeat step 2 for other TLDs you want to include. Make sure they are 'Or' conditions and not 'And' or it'll never trigger. This is a 9 byte pattern and if you only care about PTR records making it passed, this shouldn't trigger on false positives. Anyone else using this might want to put it in 'alert' mode and enable packet capture to make sure it doesn't trigger. You should be able to create multiple 'OR' conditions for the .org .info .gov etc domains in the same object. I didn't test that though. My splunk guy gets mad when I shovel a bunch of new logs into the indexer without telling him Hope this achieves what you want. ... View more

No such admin role. Admin role is sent via VSA in RADIUS accept message. ... View more

Tested in 5.0.6 and it is still an issue. ... View more

The document is somewhat misleading in that it's suggesting you use an interface dedicated for traffic to bind your user-id service to. This may not always be desirable. Alternatively, if you wish to use the management interface as the agent you can configure this under Setup - > Management -> Management Interface Settings and checking the box next to Userid in 'Services'. ... View more

Thank you, that was what I needed. ... View more

What about on 4.x.x versions where the group information comes from the Firewall itself? ... View more