PAN Bypass Step By Step HOWTO

1. Download pan_bypasser from here
2. Edit the sip.txt and the pan_bypass.bat to reflect the FQDN you are poisoning (e.g
3. Make sure the PAN box is at the latest version

4. Create 3 rules as follows:

• The first rule blocks access to facebook app.
• The second rule allows access to the internet for the LAN network
• The third rule is the Clean-up rule

5. Test the policy and make sure access to facebook is blocked

6. Run the file pan_bypass.bat from the client machine effectively poisoning the cache with SIP packets

You can see that the cache was populated by running “show running application cache” on the PAN machine

7. Now when you go to the connection should succeed

You can see that the PAN box mistakenly put in LOG the access to as SIP packets due to the “Cache Poisoning Attack”

Quod Erat Demonstrandum

Since the cache attack is based on Dest. Ip address/port and not FQDN it will be more challenging with domains the resolves dynamically (i.e
You can either static resolve using hosts file or run it on all the ip addresses