Evasion signatures detect sophisticated HTTP and TLS threats by identifying domain
mismatches.
| Where Can I Use
This? | What Do I Need? |
|---|
Palo Alto Networks evasion signatures provide a critical layer of defense against
sophisticated threats that attempt to bypass security filters by crafting
inconsistent HTTP or TLS requests. These signatures are specifically designed to
identify and alert on instances where a client initiates a connection to a domain
that differs from the one specified in the initial DNS query. This capability is
vital for detecting advanced evasion tactics, such as domain fronting or
unauthorized tunneling, where an attacker attempts to hide malicious traffic inside
seemingly legitimate protocol handshakes.
The NGFW must maintain visibility into the client's name resolution
process. Consequently, evasion signatures are only functional when the firewall is
configured to act as a DNS proxy, allowing it to resolve domain name queries and
cache the intent of the client. By correlating the intercepted DNS request with the
subsequent application-layer traffic, the firewall can accurately identify
destination mismatches that would otherwise bypass standard pattern-matching
signatures.
As a best practice, administrators should ensure the DNS proxy feature is enabled on
the relevant interfaces before deploying evasion-specific signatures within their
Anti-Spyware or Vulnerability Protection profiles. Once the DNS proxy is active, the
firewall can cross-reference the cached DNS data with HTTP Host headers or TLS
Server Name Indication (SNI) fields. This integrated approach ensures that any
attempt to circumvent security policies through destination manipulation is logged
and mitigated in real-time.
