Advanced DNS Security
PAN-OS
Table of Contents
Create Domain Exceptions and Allow | Block Lists (NGFW (Managed by PAN-OS or Panorama))
NGFW (Managed by PAN-OS or Panorama)
)PAN-OS 10.0 and later releases provide
an additional option to explicitly add allowable domains through
the Anti-Spyware security profile. You can add domain/FQDN entries
for approved domain sources if they trigger a false-positive response
from DNS Security.
Create Domain Exceptions and Allow | Block Lists (PAN-OS 10.0 and later)
- Add domain signature exceptions in cases where false-positives occur.
- Select .
- Select a profile to modify.
- Addor modify the Anti-Spyware profile from which you want to exclude the threat signature, and selectDNS Exceptions.
- Search for a DNS signature to exclude by entering the name or FQDN.
- Select the checkbox for eachThreat IDof the DNS signature that you want to exclude from enforcement.
- ClickOKto save your new or modified Anti-Spyware profile.
- Add an allow list to specify a list of DNS domains / FQDNs to be explicitly allowed.
- Select .
- Select a profile to modify.
- Addor modify the Anti-Spyware profile from which you want to exclude the threat signature, and selectDNS Exceptions.
- ToAdda new FQDN allow list entry, provide the DNS domain or FQDN location and a description.
- ClickOKto save your new or modified Anti-Spyware profile.
Create Domain Exceptions and Allow | Block Lists (PAN-OS 9.1)
Allow and block lists are not available
in PAN-OS 9.1.
- Add domain signature exceptions in cases where false-positives occur.
- Select .
- Select a profile to modify.
- Addor modify the Anti-Spyware profile from which you want to exclude the threat signature, and selectDNS Signatures > Exceptions.
- Search for a DNS signature to exclude by entering the name or FQDN.
- Select theDNS Threat IDfor the DNS signature that you want to exclude from enforcement.
- ClickOKto save your new or modified Anti-Spyware profile.