วีดีโอ

Hi Wow, thank you! I am glad it helped so much, thank you as always for watching!

you are very welcome!

Hi, Thank you for the awesome comment! and thank you for watching!

Hi I can honestly say that I have never seen a quic error, I suppose if the browser was now trying to force quic instead of falling back that may happen, but that would be browser side not firewall side, interesting though, I will have to look into it more, can you describe the setup you are using to get those results? Thank you for watching!

Hi, Thank you for the awesome comment! and thank you for watching!

Hi As long as you check and take into account any downgrade restrictions/version control from Palo Alto in upgrade/downgraded considerations docs then yes. Thank you for watching!

Hi, Glad it helped, I have never worked on Fortinet firewalls to be honest so a bit of a mystery to me! Thank you for watching!

Thank you for watching!

Hi That is a really good question and really does get to the problem I see with a lot of security practice today, so the categories vary in the potential for malicious traffic, and with this variance comes the need to put the standards and best practice docs largely to one side, I sinkhole the default-paloalto-dns because it is a Palo provided list of malicious or undesirable domains, and as such is best to sinkhole for reporting as well as security purposes, I would also suggest that C&C domains should be blocked as they serve no purpose, the same can be said for Grayware, Malware and Phishing, Parked domains are a grey area and while not really a 100 percent security risk you may want to block it if you were in a high security government organization just in case, but if you are in a low security environment you may not be that bothered, and the extra reporting and logging could just be noise that you want to tune out, same really for Ad tracking, these drop cookies and actively follow users so depending on your security stance I guess that would also be open to interpretation, However when it comes to things like proxy Avoidance and Anonymizers, if this profile was to added to corporate network access then I cannot see why you would want to allow a user to encrypt their traffic and avoid the vast majority of security measures that are in place, but where this profile is added to Guest networks you would most likely allow it as users are more often than not going to be VPN'd back to their corporate networks and will need that traffic allowed. Finally Newly Registered Domains, in todays hyperscaling cloud environments where DNS is crucial and services can be brought online using newly created domains or local domains, you would weigh up the quantity, if there is only a few then the exceptions list could be the way to go, but if there are likely to an exponential amount then you may want to accept the risks with New Domains, reducing the admin overhead. Hope this helps!

Hi, I have the DNS security Subscription in this video. Thank you for watching!

@@mode4480 Both licenses can provide these DNS controls, but I think the difference is that the DNS security subscription provides a real-time DNS threat DB update service, whereas with the ordinary threat prevention sub you are limited to the once a day update through the threat prevention signature update? Don't quote me on that but thats from what I can deduce so far, it's not exactly that clear.

Hi, Yes the cloud subscriptions can be a little difficult to understand is it is not very clear at all, I have had a look and come up with the following, Threat Prevention - Locally accessed through Anti-Virus and Wildfire Updates DNS Security - Cloud based analysis and ML as well as DGA/DNS tunneling etc Advanced DNS Security - All DNS Responses are sent to cloud for analysis, on PANOS 11.2 and above there are extra features for Hijacking and Domain Misconfiguration detection, ML and realtime analysis That is what I get from the documentation, hopefully that is somewhere near!

Once the variable is created in a template the template is the object that is reused then the variable can be assigned a different value depending on the device that template is attached to, as far as I am aware there is no "global" variable type in panorama that could be used independently across templates. Hope this helps and thank you for watching!

Thank you for watching!

Hi, Within the Palo Alto firewall there are two types of traffic flow with regard to zones, either intrazone or interzone, so if we had a rule with A,B and C zones in both the source and the destination a universal rule would allow intrazone traffic to flow (in this case A to A, B to B, C to C) and interzone traffic, A to B or C if we were to use interzone rule type A to A would not be permitted and if we use intrazone rule type, A to A would be permitted but A to B would not. Also when creating intrazone rules the destination zone is greyed out in the policy making the security policy a little easier to read. Hope this helps, and thank you for watching!

Hi, I will go back over the config and see if I can put together a quick video showing the configs, do you mean the integration on XSOAR to listen for the logs or the Syslog profile on the firewall or both ? I will try and cover both sides, not sure when it will be but I will try and get one soon. Thank you for watching!

@@mode4480 thank you for your quick response. I figured what was configured from the previous video. Another question would be if I can do this with a panorama integration, or just with the firewall?

Hi, Yes, if you were to send the call to Panorama it would populate the list and then that would be updated on all the managed firewalls using that dynamic address group, the log action however that triggers the chain of events would have to come from a firewall, or potentially if you had log collectors configured and they were forwarding to XSOAR, but due to the fact that they do that in a batch fashion and not in real time that wouldn't be as reactive as from the firewalls. Hope that helps!

Thank you very much for watching!

Hi, Sorry for the delay, I thought I'd make a quick video to go through the decrypt profile, hope it helps! Thank you for watching!

Hi, Are you doing SSL decryption? this can be the cause of the issue you are seeing, just thinking about this, you will also see this if you are sending the handshake to the CTD for inspection, as this stops the connection at the handshake if it is in violation of security policy, this then sends a HTTP Reset and will not serve a response page, this setting can be found under the Setup>Session menu, scroll to the bottom and click on the SSL Decryption Settings. Thank you for watching!

Hi, Thank you for the compliment! I don't at the moment, but I setup DUO a long time ago for 2-factor into my XSOAR instance, I can certainly look into it and see what I can put together.

Hi, Thank you for watching so closely! I think that you must be looking at the last login time and session expire times in the bottom left hand corner of the webui, these are the only time signatures I can see displayed on the video, these are not reflective of the actual time the video was shot just the last time logged in, the only thing I can think is that possibly one firewall was set to GMT and one to UTC (UTC does not have summertime) to account for the hour difference, that video was a long time ago now but I certainly don't remember any hour long recovery session, at 9:24 I am failing over the firewalls, as long as the HA is good (which it was) and the sessions were building there is very little that could go wrong. Thanks for watching!

Fashion44 :) is there something I have missed? lol

For the DNS question what I would do is ensure that the sinkhole address is in a zone that means the traffic has to pass through the firewall to get to it, create a rule and log on that or simply run a report for hosts using the sinkhole address for normal traffic say SSL for example, the initial DNS query and DNS security logs will show the proxy as it is the proxy making the DNS lookup but there will also be the hosts that have been given the sinkhole address trying to use it to get out. Hope that is helpful!

Hi, This is more a question of policy, essentially (if I understand your question correctly) SSL decryption rests on the premise that people using a corporate network agree to having their traffic decrypted for inspection purpose based on the fact that they are using somebody else's equipment and infrastructure for work related purposes as opposed to private personal use, so the onus in that case would be on the user to moderate their behavior against what they know is going to be seen, however when it comes to financial information and other privileged data such as health and medical for instance there are multiple laws governing the ability to decrypt this traffic and in every case I am aware of it is deemed illegal and can not be done, therefore the situation would never arise, that is why the no-decrypt policy is as important as decrypt policy. SSL decryption does mean that the traffic would pass through the firewall in plain text so we control what data gets decrypted to ensure the balance of security for users privacy and security and the company providing the infrastructure to the employee / sanctioned user. Hope that helps!

Yep, totally, I heard that on the first pass through but when I checked the final render it seemed to have disappeared, obviously not, will try harder!

Thank you for watching, and a big thank you for subscribing!

@@mode4480 no problem - i work in healthcare and we have palo alto firewalls in our environment HA pair with panorama I want to take my PCNSE any good recommendations on study material?

I would use Tom Piens Book "Mastering Palo Alto networks", and of course the training can be found on Palo Alto's own Beacon platform, it is a good cert to get, good luck with it!

Thank you very much!

Awesome, thank you very much for watching!

Thank you very much for watching!

Thanks for the video, it is perfectly explained the upgrade

There are some other considerations depending on how far back you are going, but as a general rule yes, an example of the downgrade advice from Palo for 10.2 to 10.1 for instance can be found here, docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/upgradedowngrade-considerations#idabba79e8-9c44-4360-b961-db7f118df20a ( I really need to shorten the URLS but I think sometimes they look dodgy ) let me know if you think a video on downgrade would be useful and I can put one together. Thank you very much for watching!

I feel your pain! there must be an underlying issue somewhere in the device-group that is causing this, I wonder if it is the inheritance? If you get to the bottom of it please share as Panorama is awesome but does come with it's quirks :-) Thank you for watching!

Thank you very much for watching!

Thank you for watching! XSOAR and by extension XSIAM are awesome platforms, these videos are getting a little old now but I am glad they are still helping

Thank you for watching !

Hi When upgrading firewalls there has to be the sessions that are running through that firewall to consider, so in that case I would failover the firewalls to check that there is no issues with traffic while we still have a working known good firewall, this is not the case with Panorama, Panorama is not in the traffic path and therefore we do not have the same considerations as with firewalls, so in this case I would (and have) confirmed that the Panoramas are in sync, check that the firewalls that are connected to one are also showing connected to the other in the HA pair, there is some telemetry between the firewalls and Panorama and so there is some need to make sure that we miss as little information as possible during the upgrade, but for me the most important thing is that the Panorama's are in sync and have the same configuration on both. I have said on other videos that really the process followed is up to the engineer completing the task, for instance simply upgrading the Primary firewall then the secondary would work in theory, but it would be risky, it is the risk tolerance of the engineer and the business that often determines the upgrade procedures, or content updates etc. Hope this helps.

Thank you for watching!

Thank you for watching !

Hi I will admit there is some grey area here that I have not looked into fully since the video, the truth of the matter is that some files that were given the verdict of malicious were then given an allow action but when the file itself was examined although it had completed there was no content to the file, whereas there were other files that did have the action of block, these were exclusively informational severity however. It is worth noting that even in the official Wildfire example from Palo Alto the idea seems to be that once a malicious verdict is determined this allows an admin to block the user involved by virtue of receiving a log of the event, the "Zero day" protection is then based on the fact that a Wildfire signature will be created for the file and that will be available almost immediately based on Wildfire update settings (real-time or 15 minutes are the only ones that make sense) and through Anti-Virus updates at whatever frequency you have them set, meaning that any further occurrences of the malicious file would then be blocked based on signature, these are all provided that the action for the varying signature sources within the Anti-Virus profile are set to do so. Now the question is does this actually provide the Zero-Day protection claimed? well it sort of does but it still requires at least one machine to become infected, there is in version 11.0 and above the option to hold for Wildfire signature lookup which would make more sense to stop even the first person becoming infected, and you could create a log forwarding profile that has a tagging action to block users that trigger Wildfire or Threat log entries to add them to a dynamic block group but you would still have that first infection. The Document with the official Palo Alto Wildfire example can be found here docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-example Hope this helps!

Excellent answer and video. I think the confusion for us is that the session goes through and if it already has a threat signature (threat ID) of any kind, Palo does whatever your security profiles are set to, so you may see a malicious verdict but then its allowed. If you search threat logs, you will find that Palo has already taken an action on the sessions threat pass, so that threat may have been a medium vulnerability with the action of allow for example. So its only new or unknown threats that Wildfire has newly identified with a new signature that it will take a wildfire action based on the anti-virus profile wildfire settings @@mode4480

I think you answered that better than me!

Thank you for watching!

Hey, Thank you, it has been a long journey, hopefully get to move more into automation and Prisma soon!

I really wish it was only Fortigates lol, in fairness to Palo the version 11 box is still quite an early release, they don't seem to get into their stride until around the xx.6.x versions, but yes there are multiple bugs to be found, as a rule if I cannot get something to work through the Webui I tend to try command line, it usually solves the problem, it is odd that you have to commit to Panorama for the templates to be set as out-of-sync and a little annoying too, hopefully they will fix it in a later version.

@@mode4480 yeah I'd agree I'd never really look to deploy anything on an FG that's before an x.4 release but still find little annoying things in later releases too. It was good to see the BGP process though even though the bugs 👍

Hi Thank you for the awesome comment! I hope my other videos help too.

Hi Once Wildfire has executed the sample that has been sent which it can do in multiple environments it can then send a verdict to the firewall, if this verdict is malicious in any way then the firewall should block the traffic, the signature of the sample is then downloaded to the firewall in the Wildfire update and eventually the Threat Content Updates.

Hi, I am not quite sure what you are asking ?

Hi Good question, I have had a quick look this morning at this, the issue is that the top level has to be permitted or the initial connection will, of course, be blocked, this means that you would have to create two custom categories one to allow the traffic and one to block all other traffic, this would need a full site map to be loaded into the Palo though as , for instance, a wordpress site would have artifacts required for correct rendering in sub-directories like wp-content for example, I did have mixed success with this, I then tried adding the category as a destination for an Allow rule and a Block rule respectively, this did not work, there was simply not enough control. You should be able to achieve this with the two custom category method but as I say they would have to be very comprehensive. As a note I was testing using standard navigation and not against a redirect however the request still comes from the client in both cases. Hope this helps a little!

Thank you for watching!

Thanks for the information. I always like to point people to the National Cyber Security Center website when talking about VPNs because they have good advice for people unsure what to set for their tunnels. They reference the gcm suite and a legacy profile… ncsc encryption standards is a good search 👍🏼

Yes, absolutely, there is a lot of good info out there on security standards etc, and it is always good to read up on the latest recommendations, I think all videos should point out that the "click here and there" part of the narrative is simply the mechanics in making the configuration work on the platform, the type of configuration usually differs due to multiple variables that will never exist in a lab and of course even in real life my environment won't be the same as yours requirement wise. I also use ( and have contributed too) CIS and found that a lot of vendors including Palo Alto use them in their BPA mechanisms. NCSC Website www.ncsc.gov.uk/ CIS Website www.cisecurity.org/ Report a Security incident report.ncsc.gov.uk/

Thank you!

Thank you for watching !

Thank you for watching!

That is a very good point, indeed yes UDP port 80 and 443 should be blocked, I will make sure it goes into the decrypting DOH video!

@@mode4480 If I can request, address DoT and DNScrypt as in PAN-OS 10.2 Nebula and different treatment in PAN-OS 11.1.1 Cosmos. Thank you. If it gets too long. May split them into 2 videos.

Hi It is on the list to do, so watch out for it soon!

Hi No problem at all, there are two reasons why you wouldn't have URL filtering on an inbound rule, the first one is because it wouldn't really be required, if you were hosting a web server in a DMZ for instance you would tend to control access through a security rule and a NAT rule potentially controlling sessions either through session distribution NAT or a downstream loadbalancer, in any case the access would not be controlled through URL filtering, the second reason was more what I was referring to in the video, there was a bug that relied on a misconfiguration of URL filtering on inbound rules where response pages were configured, this meant an attacker could (in theory) continually make requests to the firewall using a spoofed IP of their intended victim, then with enough requests and bandwidth their victim would get continual traffic from your firewall as the firewall serves the response pages, ultimately leading to either degraded service at the victim side or DOS, and this attack would appear to come from your firewall IP. Hope that made sense, thank you again for your continued support!

@@mode4480 Thank you.