About dyang

One minor update to this is that as of content version 446 (released July 15, 2014), Safe Search enforcement also supports Yandex. ... View more

Hi Cos, There is actually slightly different behavior between BrightCloud and PAN-DB when it comes to HA Active/Passive.  Given that you are using PAN-DB, I will start with that first. In an HA Active/Passive scenario with PAN-DB, only the Active device will connect to the PAN-DB cloud.  When it does connect to the cloud, it will also update the database version number to indicate that it has synced with the latest version in the cloud.  Additionally, the MP cache is backed up every 4 hours, as well as anytime the device is about to restart.  Anytime a backup is generated, that is synced to the Passive device.  Once this happens, the backup is then loaded into the MP cache of the Passive device, which also updates the Passive device's URL filtering database version number.  This is probably what triggered the scenario in which you saw the Passive device get updated (you can verify this by looking at the Monitor-->System Logs).  At this point, if the Passive device ever becomes Active, it at least will have a populated MP cache that's at most 4 hours out of sync with the original Active device. For BrightCloud, the behavior is different in that the MP cache does not get backed up or synced across to the Passive device.  Instead, the Passive device to download the latest BrightCloud database when it flips over to Active. Hope this helps, Doris ... View more

Hi networkadmin, You are correct.  By default, any newly registered domain will be "unknown" in PAN-DB until we've taken a look at it - either manually by our analysts/threat team, or via our crawler (triggered on some event). Our threat team took a look at the list you sent, and they are from a non-critical list published by InfraGard recently.  As mentioned, most of these have been included in PAN-DB already as "malware", but the two exceptions did not resolve, and thus were not included in PAN-DB.  --Doris ... View more

Hi Joanna, Browse time calculations are only available in the User Activity Reports.  If you would like to see this information elsewhere, please contact your SE and have a feature request submitted on your behalf, along with your specific use case. Thanks, Doris ... View more

Hi networkadmin, Generally speaking, for non-malware related URLs, PAN-DB will crawl and categorize domains as we see them.  This can happen either because our crawler has found a new site, someone has submitted a change request for an unknown site, or because a customer device queried our servers for that URL.  As HULK mentioned above, once we see an unknown on our servers, we will put that in a prioritized queue for crawling and classification.  Once we determine a category, it will get included in the next database refresh.  For malware domains, PAN-DB will categorize a URL/IP as malware as long as WildFire has associated it with malicious activity.  Regarding the Cryptolocker lists published by the FBI/Infragard, we do subscribe to such lists, and we will create threat signatures around them, as well as feed the domains/IPs listed into PAN-DB.  For those malware families that utilize DGAs, we will phase in DNS signatures as those domains go live (typically a few days before), and then disable them as they get taken down.  In the past, once we disabled signatures, we also removed the corresponding entries in PAN-DB.  Starting with the most recent InfraGard list (Cryptolocker/GameOverZeus), we started adding all domains at once to PAN-DB, and will keep them categorized as malware until otherwise notified. As for your list of examples, I checked PAN-DB, and we currently categorize all of them as malware with the exception of the first two.  If you have additional examples of URLs from the InfraGard list that is not categorized as malware, please send me a private message and I can check them for you and see what's going on. Thanks, Doris ... View more

Hi matt.rosloniec@amway.com, We had a bug where headers and the rest of the table did not match in certain scenarios, but that was only for CSV exports (this bug was also fixed in PAN-OS 6.0.1).  Can you open a case with Support so we can take a look and investigate further? Thanks, Doris ... View more

Do you know if the logs are displayed correctly on the device?  Also, what version of PAN-OS is running on Panorama?  I know that there was a similar bug that was fixed, so I'm curious as to whether or not this is the same issue or another variant of it. --Doris ... View more

matt.rosloniec@amway.com, Are your logs from a device or from Panorama?  Also, what version of PAN-OS are you running? --Doris ... View more

Hi Sebastian, Generally speaking, if WildFire has identified a downloaded file as malicious, the corresponding domain should also be categorized by PAN-DB as malware.  There are a few exceptions to this, so I'm looking into the reason for your case.  I'll report back as soon as I get more information. --Doris ... View more

Hi Jeff, There should be a corresponding "block" action logged whenever the SafeSearch block page is displayed.  If you are not seeing this, please open a Support case so that we can investigate and address. Thanks, Doris ... View more

Hi asabadin, Is your question why a certain URL is categorized as phishing?  If so, can you provide the URL?  The one you included in your first post is not categorized as phishing by BrightCloud or PAN-DB. --Doris ... View more

Hi Grubbsy, Once you've imported your custom response page, you will need to make sure that your URL filtering profiles are configured accordingly.  For example, if you have uploaded a custom "URL Filtering Continue and Override Page", it will get displayed for any category that is assigned the action of "continue" or "override", so make sure that the categories in question have the right actions assigned to them in your URL filtering profile. Hope this helps, Doris ... View more

Hi Nelson, My explanation above was specific to PAN-DB.  With BrightCloud, we do not sync anything - both the active and passive devices need to be setup to download BrightCloud updates. --Doris ... View more

This is correct.  If you are in an Active/Passive mode, only the Active device will do cloud lookups.  The Passive device will not do this unless it becomes active.  As HULK mentioned, however, we do periodically backup the MP cache on the Active device and sync it to the Passive.  When this happens, you should see the version number on the Passive device increment.  There was a bug regarding the version number not updating, but that should be fixed with PAN-OS 6.0.1 Hope this helps, Doris ... View more

Hi Nalin, As mentioned in my response, URLs that are initially categorized as unknown in PAN-DB should be categorized within a couple of days, as there is an automatic process that goes through all unknowns that hit our server.  As you've noticed, using BrightCloud may have its own set of problems, but if you still have a valid PAN-DB license, I would suggest you take a look and see if your unknown URLs eventually do get assigned a category.  Based on your feedback, I'm assuming that you are blocking the "unknown" category.  If this is done to minimize security issues, I have seen some customers allow (alert) on this category, but prevent any file downloads.  Similarly, you can also allow (alert) unknowns, unless they are from a certain country.  You should obviously decide what is best for your network, but perhaps others on this board can chime in on what their strategy is for dealing with unknowns. --Doris ... View more