This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About markeating
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About markeating
08-18-2015
4Posts
2Likes
1Solution
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by markeating
| Subject | Views | Posted |
|---|---|---|
| 3903 | 03-15-2013 03:38 AM | |
| 2386 | 03-14-2013 04:04 PM | |
| 2386 | 03-14-2013 08:56 AM | |
| 2612 | 03-14-2013 05:11 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 2 Likes | 03-15-2013 03:38 AM |
User Badges
Community Statistics
| Member Since | 01-19-2011 01:50 AM |
| Date Last Visited | 08-18-2015 09:06 AM |
| Posts | 4 |
| Total Likes Received | 2 |
03-15-2013
03:38 AM
2 Kudos
Hi Eric, have a look at the post I updated ()- gives details of exactly how to do this via a custom app/custom threat signature. I've just done this to do the reverse of what you're trying - allow lookups to an entire domain, but block 1 specific dns entry out of the entire domain, so it is possible.
... View more
03-14-2013
04:04 PM
So after a lot of messing around & finally talking to the righ person, have managed to create the following: A custom app that uses a specific dns name in the signature for identification A custom threat/vulnerability profile using a dns name in the signature for identification In both cases, I can use this new custom signature to allow/block traffic successfully 🙂 It turns out that it's quite simple to do really, and I take no credit for figuring it out as the information is on the Palo Alto site (it just wasn't that easy to find). You need to write the pattern match in hex taken from a Wireshark trace under the dns-req-section context as per the details in this link: I used it last night & had my custom signature working within about 20 minutes of me getting this information.
... View more
03-14-2013
08:56 AM
Thanks, I guess thats a different way of approaching it - instead of blocking/dropping the specific requests, have static dns entries pointing to the alternate IP's. I'll have a go, however not sure of the impact due to the use of certificates & encryption of the comms between client & server, so it may break if the client is connecting to something else. It's worth a try though as I'm struggling to get anything else working right now In theory though, we shoudl be abel to make use of the dns decoders in the custom vulnerability signatures, however I'm yet to find any decent documentation on the use of the decoders & regular expressions, but will keep looking.
... View more
03-14-2013
05:11 AM
Hi all, I've got a bit of a challenge that I'm hoping someone may be able to assist me with. We use GloblaProtect (always on) and it's playing havoc with a few of our apps that can access both internal & external servers (eg: Outlook Anywhere, Lync etc..). The biggest challenge we face is that once GP connects, it is able to resolve the internal DNS entries for those services, and attempts to connect via the vpn. Although we block this traffic, it takes quite a while for the servcies to fail over to use the external access points which can cause user perception issues. The simplest way to get around this is if the client is unable to resolve 3 specific DNS entries on our internal domain, but not block DNS lookups to the whole domain. I believe that we may be able to do this via a custom threat signature, but can't for the life of me get it working & was hoping that someone would be able to help me identify how to write the reg expression & which specific DNS decoder to use as its driving me nuts. for info, I've seen the other similar thread (https://live.paloaltonetworks.com/message/22931#22931), but not sure it's quite the same - although happy to be told otherwise. thanks very much,
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-18-2015
09:06 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks