We came into the office this morning to receive reports from users that they weren't able to access their core application which runs on apache web server. When they login, the internet explorer URL directs the users to www[whatever-url]com/login.jsp . Our clients download the file login.jsp when they access the login portal for the webpage. The firewall is blocking this file in accordance with signature ID 31313 (Oracle single sign on vulnerability). This behavior has been true since as long as I can remember, but suddenly our PA-3020 running panOS 7.1.1 decided to block this file as a threat. We were able to quickly resolve this issue with a vulnerability protection exemption to allow this threat signature for a specific ip address. What I'm now working on is to determine what caused this sudden change in behavior that resulted in the file being blocked. Our firewall did take a app and threats update yesterday around 1:45pm (panupv2-all-contents-8069-5027). However, the vulnerability signature that was being blocked was 31313 which is not mentioned in the latest update release and I know this signature has existed for a long time now. Has anyone ever seen this sort of sudden change of behavior i nthe past? Or any advice on places to check in the palo alto for more clues on what may have occurred?
... View more