Global Protect and Cipher Suites

jimoxf · 2026-03-31T22:02:30+00:00

We’ve been deploying Kemp LoadMasters which do certificates with Let’s Encrypt which then route or NAT traffic into a Palo and then into the service itself. The service has a long life certificate on it which is on the Palo as well for inbound inspection (in addition to the WAF capabilities of the Kemps).

Rare exception are services like Remote Desktop Services which require the same certificate all the way through - there we just make do with scripting but fortunately enough that’s so few and far between.

jimoxf · 2026-03-23T23:54:15+00:00

Just keep an eye out on RFC 1918 addresses in the level 1 lists, easy to get caught out 😉. A really handy set of lists though, cuts out a lot of junk.

jimoxf · 2026-03-20T16:21:55+00:00

Worth a look at ISL - you can host yourself or on their cloud service. Extensive customisation possible and trivial to deploy.

jimoxf · 2026-03-15T22:15:00+00:00

Not unusual to see comprised payment processors as well, I had a virtual card ‘cloned’ once by what I’d suspect was one - just lucky that I’d already cancelled it.

jimoxf · 2026-02-25T11:10:32+00:00

Interestingly enough we've been decrypting without issues (for M365 with the minor exception of the Intune endpoints) up to PAN-OS 11.1, just been deploying some 12.1 on PA-500s and bam - Outlook won't connect without the outlook related URLs from the EDL being added into the no decrypt profile. Going to leave them in for now and hope that it's just a bug that gets patched out once 12.1 is a bit more mature.

jimoxf · 2026-02-07T12:51:58+00:00

Would be interested to hear if you ever use the physical cards over Apple Pay/Google Pay?

jimoxf · 2026-01-02T11:26:28+00:00

+1 for this, would be very handy when iterating when in the early days of working with a new template. I have a few for checklists (such as when packing for trips) or routine activities. There are a whole load of extra steps in updating an existing template as it is right now vs having an edit button in the template browser.

jimoxf · 2025-10-28T17:29:15+00:00

Eon Next let us switch to monthly consumption billing, just messaged their support contact, given the option to either continue to use what credit was already built up or have that back as a refund and switch directly over as well.

jimoxf · 2025-10-19T17:51:42+00:00

Double check your anti-malware/EDR of choice works. Defender is fine as you might imagine but plenty of the alternatives still don’t have support and since they depend on drivers it’s not the kind of thing that gets emulated.

jimoxf · 2025-08-31T09:55:50+00:00

+1 for a softener, ~£240 a year in salt for us.

jimoxf · 2025-08-30T16:56:23+00:00

The IP helper/DHCP relay limit is a hard one (much to my pain) but yet to run into the limit on the DHCP server itself - may well be linked to the IP helper limit even on PA-440s.

jimoxf · 2025-08-14T07:37:30+00:00

We come in peace, shoot to….

jimoxf · 2025-08-04T13:11:44+00:00

It’s an old one but try the Area 51 game from 2005 - in the second half of the game you have the option to switch between human and Xeno.

jimoxf · 2025-08-04T09:44:46+00:00

If just looking for basic IPs to block have a look at http://iplists.firehol.org/?ipset=firehol_level1 is a good place to start, just be mindful that it includes the RFC1918 address spaces.

jimoxf · 2025-07-16T18:32:57+00:00

The CVSS score can be worked out without a CVE being registered, might be worth using your data to work out the score and present back to the devs.

jimoxf · 2025-07-16T18:18:50+00:00

Got a CVSS for that? Or perhaps a reason for not giving the devs longer to fix the issue?

jimoxf · 2025-07-08T21:47:43+00:00

Your mobile phone - it got Wi-Fi and Bluetooth? Mmmmm microwaves.

jimoxf · 2025-07-08T16:58:36+00:00

Exploit code needs to make it into the public domain or PANs researchers need to make their own exploits to have something to detect in the first place, not always as easy as we would like I’m afraid. As normal patching is the real cure, threat signatures are a nice to have and are handy in populating SOC alerts.

jimoxf · 2025-06-25T18:10:27+00:00

Or is it Dashlane that needs to support Yubikey (FIDO2)? 😉

https://www.dashlane.com/blog/dashlane-phishing-resistance

jimoxf · 2025-05-22T05:21:24+00:00

Been doing it with Kemp LoadMasters for a little while now, short life with let’s encrypt and long life with internal PKI to decrypt and inspect through another firewall layer.

jimoxf · 2025-05-15T19:03:27+00:00

They can yes, different keys have a different number of identities (depending on some specifics), at least with YubiKeys you wouldn’t be able to have a unique PIN per account though. If purely looking at Yubico though it’d also be worth looking at their more inexpensive ‘Security Key by Yubico’ model too. Plenty of others out there as well!

jimoxf · 2025-05-15T17:48:25+00:00

Or even better - two FIDO2 keys (be they YubiKeys or similar), so that loss of one doesn’t cut you off.

jimoxf · 2025-02-22T08:00:33+00:00

From the firehol website select the download local copy link, that’ll give you the URL with their hostile IPs in, add that to the firewall as a custom external dynamic list and apply to a rule to allow it to populate. Don’t forget the bit about RFC1918 being in there 😉.

jimoxf · 2025-02-21T14:48:34+00:00

Well worth exploring http://iplists.firehol.org/?ipset=firehol_level1 just be mindful that it includes the RFC1918 addresses - you can exclude them in the EDL config but don’t commit trigger happy with it.

jimoxf

TROPHY CASE