DNS Security Administration
  • DNS Security Administration
  • Advanced DNS Security Powered by Precision AI® Documentation
  • All Documentation
>
Create Domain Exceptions and Allow | Block Lists (NGFW (Managed by PAN-OS or Panorama))
Focus
Download PDF
Focus
  1. Home
  2. Advanced DNS Security Powered by Precision AI®
  3. Configure DNS Security Subscription Services
  4. Create Domain Exceptions and Allow | Block Lists
  5. Create Domain Exceptions and Allow | Block Lists (NGFW (Managed by PAN-OS or Panorama))
Download PDF
Advanced DNS Security Powered by Precision AI®

Create Domain Exceptions and Allow | Block Lists (NGFW (Managed by PAN-OS or Panorama))

Table of Contents
PAN-OS 10.0 and later releases provide an additional option to explicitly add allowable domains through the Anti-Spyware security profile. You can add domain/FQDN entries for approved domain sources if they trigger a false-positive response from DNS Security.
  • Log in to the NGFW.
  • Add domain signature exceptions in cases where false-positives occur.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Select a profile to modify.
    3. Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Exceptions.
    4. Search for a DNS signature to exclude by entering the name or FQDN.
    5. Select the checkbox for each Threat ID of the DNS signature that you want to exclude from enforcement.
    6. Click OK to save your new or modified Anti-Spyware profile.
  • Add an allow list to specify a list of DNS domains / FQDNs to be explicitly allowed.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Select a profile to modify.
    3. Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Exceptions.
    4. To Add a new FQDN allow list entry, provide the DNS domain or FQDN location and a description.
    5. Click OK to save your new or modified Anti-Spyware profile.
Allow and block lists are not available in PAN-OS 9.1.
  • Log in to the NGFW.
  • Add domain signature exceptions in cases where false-positives occur.
    1. Select ObjectsSecurity ProfilesAnti-Spyware.
    2. Select a profile to modify.
    3. Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Signatures > Exceptions.
    4. Search for a DNS signature to exclude by entering the name or FQDN.
    5. Select the DNS Threat ID for the DNS signature that you want to exclude from enforcement.
    6. Click OK to save your new or modified Anti-Spyware profile.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.