Palo Alto
You may find that when doing decryption on a Palo Alto Networks Next Generation Firewall that images in Slack channels are not displayed or are only shown in a very low resolution – in addition images cannot be uploaded. When inspecting the HTTP error messages in your browser a 503 response may also be seen.
To top off the issue you may also see that User-ID isn’t mapping traffic from the Slack desktop application against the traffic which negates any User-ID based decryption exception you might have.
While helpful the Slack connection test tool at https://my.slack.com/help/test also doesn’t appear to throw any errors.
To fix this issue you need a decryption exception custom URL rule for the files.slack.com domain (which fixes viewing images) along with the base domain for your Slack tenancy (fixes uploads). This domain can be found by clicking the drop down in the top left corner of the Slack client.
If you have multiple Slack tenancies then you will need an exception for each one.
As always when making exceptions for your decryption policy please consider how it might degrade your ability to detect malicious usage of the network – in this case the sharing of files with unknown payloads.
For more information about Slack network usage visit: https://slack.com/intl/en-gb/help/articles/360001603387-Manage-Slack-connection-issues.
A late one for this release of ‘from around the web’ after being on holiday for the last week – as the case always seems to be I’ve come out of the sun quite red. This week we have another step in the right direction to getting rid of passwords, some helpful templates for building a first config for a Palo Alto Networks Next Generation Firewall and an interesting (short) review of the Hubitat home automation hub.
New Azure Active Directory capabilities help you eliminate passwords at work
It’s been promised by Microsoft (and some others) for quite some time and it looks like another leap in the right direction has been made. With FIDO2 and devices like the YubiKey password less login on Windows 10 Azure AD domain joined devices is happening. Be sure to watch the video at the bottom of the page!
iron-skillet
All the options within a PAN NGFW can seem quite daunting and while the out of the box settings for security policies will help they are far from best practice. That’s where the IronSkillet comes in handy to take some of that pain away and give you a serious starting point.
Smart Home Hub – Hubitat Review
For the people who don’t have the time (or know how) to invest in something like Home Assistant but aren’t up for relying on a connection to the ‘cloud’ for home automation then Hubitat may well be for you. I’ve been exploring home automation for quite some time (at the moment using LIFX and HomeSeer) and may well consider looking into Hubitat some more if/when I decide to expand on it.
As part of my new job I’ve taken on the management of a Palo Alto PA-3020, on my list of things to do…update the software/firmware on it. The update process its self is pretty simple in that you identify the version you are going to update to, download it, install it and then reboot the firewall at a time that will cause the least distribution to your users.
It will also be worth taking a save of your current running configuration – this can be done by going Device > Setup > Operations and Saving a named configuration snapshot and then exporting it.
At first glance there does not seem to be a way to schedule the reboot (for say 3am – something I particularly liked on my Smoothwall firewall) so for the time being I’ll have to deal with late night reboots.
Anyway the good bit! To upgrade from 6.0.6 to 6.1.0 took 4 minutes to then upgrade from 6.1.0 to 6.1.5 took 5 minutes 30 seconds.
For more information on the upgrade process from Palo Alto themselves visit this link – https://live.paloaltonetworks.com/docs/DOC-2092.
14/11/2018 Update
It’s firmware update time again, this time going from 7.1.14 to 7.1.21, from pressing restart it took about 2 minutes 25 seconds for a ping to the firewalls management interface to come back, 4 minutes 20 seconds for the web interface to come back and then 5 minutes 25 seconds (in total) for internet connectivity to be restored.
Has this page helped you? Was it worth the cost of a Coffee? If so click here to donate £1.80 to the myworldofit.net coffee fund via PayPal.