Palo Alto Networks Tips and Tricks

November 8, 2014 at 12:13 am Leave a comment

Log Headers

Brand new in version 6.1 is the ability to log several HTTP Headers.  To enable this, turn it on in your URL Filtering Profile under Settings.  There, you can check the User-Agent, Referrer, and X-Forwarded-For headers.  When you have a policy using that profile, you can see these new headers by going to Monitor > Logs > URL Filtering, and adding those new columns.

All three of these have their uses, I’m sure…  Logging the referrer would be good if you are trying to find out what site directed your CEO’s workstation to that nasty virus, for example.

User-Agent, while often forged by bad actors, I think most legitimate apps are truthful.  So, if you have a policy against certain type of apps on your network, this can help you find them.

I noticed that the popular IOS app FlipBoard uses this string:

Flipboard/3.0.1 CFNetwork/711.1.12 Darwin/14.0.0

Create Custom Application Signatures

I was able to use the User-Agent string I found above to create a simple Custom Application.  To do so, I went to Objects > Applications and hit Add.

I filled in the basic stuff on the Configuration Tab, left the Advanced tab at defaults and added the real magic on the Signatures tab.  I added a new signature here with a single condition.  In that condition, I’m doing a pattern-match on the http-req-headers looking for “Flipboard/*”, the beginning of the User-Agent string.  Then, I simply added it to a policy to block it.

I tested it a few minutes later, and while the Flipboard application appears to have cached what it had previously loaded, new content was denied by the Palo Alto.

Logging Files Downloaded or Uploaded

Whether you actually want to block any files or not, its a very good idea to create a simple File Blocking policy object strictly to log all the activity.

Go to Objects > Security Profiles > File Blocking and add a new policy.  Call it Log All, and add a rule.  For this rule, set Applications to any, File Types to Any, Direction to both (upload and download), and action to Alert.  Next, add this policy to any policy where inbound or outbound traffic might happen.  Commit the policy.

To see the results of your labor, go to Monitor > Logs > Data Filtering.  In short order, you’ll start seeing all the major types of files that your users are uploading or downloading.  Executables, PDFs, Microsoft documents, videos, sound files, etc. will all be shown.  Now, it’s not keeping a copy of them, of course, only logging who uploaded or downloaded what type of file, and usually the filename as well.

Be careful though…  The direction the file moved isn’t always obvious.  The Direction column uses “server-to-client” and “client-to-server”, which sounds clear, but in practice it isn’t.  My wife streams Pandora, which shows up as a “server-to-client” direction.  The source is listed as the Pandora server address and the destination is my wife’s iMac.  My machine had a file called “message.mp3” that was “client-to-server”, with the source being my workstation and the destination being a remote server.  After briefly going into a panic thinking my machine was recording an mp3 file occasionally and uploading it to a server, I discovered via a trace that the message.mp3 file was actually being downloaded by my machine when an event happened in iMessage.

Just logging the file transfers that are going on can be really eye-opening.

Until next time!


Entry filed under: Networking.

Important Banking Tip #1 Budgeting Bonus #27

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


November 2014
« Oct   Dec »

Most Recent Posts

%d bloggers like this: