Action Status For New Fixlets -- Download Failed

Sure, I can expand on it as much as I can since I’m not a network services guy.

We’re currently using Palo Alto as our hardware firewall. With the two bigfix servers on the same subnet, we aren’t using PA between them, which allowed my to push out the relay update and other software to the secondary bigfix server. Basically the only difference between the relay server and the endpoint was the Palo Alto firewall.

Within the Palo Alto web gui, there’s a monitoring page where you can look at traffic, threats, etc. I had been working on getting firewall rules for various bigfix-related things since I was seeing “denies” from the bigfix server to the endpoint I was testing with. I got all of those resolved and was able to push the bigfix client to it about a week ago via the Deploy Tool.

Today I had the network services guys look more deeply into it and they found that Palo Alto was blocking Microsoft Portable Execution files which is/was our default due to our more locked down environment we have and was marking them as “threats”.

They created exceptions for those to the endpoints in this specific environment going both ways (from server to endpoint and from endpoint to server) since the download was failing when only one way was opened up. Allowing both ways made pushing out the fixlet successful.

Hmm if the PAN was finding the Microsoft PE files, that implies the encryption between the clients and your server may not be working correctly (the PAN shouln’t be able to see anything more than “HTTPS on port 52311” and “UDP on port 52311”.

I’m glad you got your actions working, but I think there’s still something wrong with your connectivity that’s preventing the TLS encryption from working properly (unless you have taken measures to block encryption so the Palo Alto can inspect it)

I’ll have to look into that this week. I kept most of the defaults when I was setting everything up, but perhaps I didn’t enable something while setting up.

Hi Guys
Just done a PAN course and it can be set to decrypt traffic so that maybe why it is reacting here!

1 Like