FYI There is no way to reset the password on a PAN without doing a factory reset if you do not know the password of any previous config release version. If you do a reset then you will have to reconfigure the fw rules, ip addresses, routes, nat, inspection policy's, and other basic functions depending on if it in layer3 mode or layer2 from scratch. Also are you sure the exploit vector is from ipv6 and not from traffic that the PAN cannot see such as TLS traffic? Also are you sure IPv6 is working? You can test connectivity over IPv6 here http://test-ipv6.com/ On Tue, Jul 5, 2016 at 12:47 PM, Octavio Alvarez <octalnanog@alvarezp.org> wrote:
On 07/01/2016 07:28 PM, Edgar Carver wrote:
Is there some kind of NAT-based IPv6 firewall I can setup on the router that can help block viruses?
You need layer-7 firewalls for this. NAT-based "firewalls" (pseudo-firewalls, really) are layer-4 only. Those will not help you block typical viruses, as people will usually get infected from connecting to a compromised Website, or from an e-mail attachments. And even more, if connections are encrypted, an L7 firewall will not be able to do anything (whether IPv4 or v6) unless... better not open a can of worms.
They will just help you block *some* attack vectors, though: those that rely on starting connections to your hosts from the outside.
My guess is that, with regard to e-mail attachments and compromised Websites, IPv4 hosts are still attacked more than IPv6 ones, so, even if you turn off IPv6 you will still get attacked through IPv4.
Everything else has been already said by others: fixing the Palo Alto is still your best bet.
Good luck!
On Tue, Jul 5, 2016 at 12:45 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Right. But how long is it going to take to secure the Palo Alto firewall?
around 5 minutes?
recover password, restart, log in, fix rules.
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Reset-the-Ad...
obviously the firewall is also blocking google access! ;-)
alan