DNS Security
Create Domain Exceptions and Allow | Block Lists
Table of Contents
Create Domain Exceptions and Allow | Block Lists
Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
DNS Security creates threat signatures for domains
that have been analyzed by the DNS Security service. For these known
domains, the signatures are referenced when a DNS query is received.
In some cases, it might be possible that the signature has incorrectly
categorized a domain as a threat, due to certain features or qualities
present in the domain. In such circumstances, you can add signature
exceptions to bypass these false-positives. If there are known safe
domains that are categorized as malicious, such as internal domains,
you can add a list of domains that will bypass any DNS analysis.
If your organization uses third party threat feeds as part of a
comprehensive threat intelligence solution, you can also reference
those in the form of external dynamic lists (EDLs) in your DNS Security
profile.
Cloud Management
Cloud Management
- Use the credentials associated with your Palo Alto Networks support account and log in to theStrata Cloud Manageron the hub.
- Add domain overrides in cases where false-positives occur.
- Select and select a DNS Security profile to modify.
- Add OverrideorDeleteto modify the domain list entries as necessary. Each additional entry requires the domain and a description.
- ClickOKto save your modified DNS Security profile.
- Reference an external dynamic list (EDL) as part of your DNS Security profile to import third party threat feeds.
- Create an domain-based external dynamic list (). For more information about EDLs, see External Dynamic List.
- Select .
- In theExternal Dynamic Listspanel, select a domain list EDL and provide thePolicy ActionandPacket Capturesettings. InApply to Profiles, select the DNS Security profile for which you want the EDL domain list to apply to.
- Saveyour changes when you have finished making your updates.
PAN-OS & Panorama
PAN-OS 10.0 and later releases provide
an additional option to explicitly add allowable domains through
the Anti-Spyware security profile. You can add domain/FQDN entries
for approved domain sources if they trigger a false-positive response
from DNS Security.
PAN-OS 10.0 and later
- Add domain signature exceptions in cases where false-positives occur.
- Select .
- Select a profile to modify.
- Addor modify the Anti-Spyware profile from which you want to exclude the threat signature, and selectDNS Exceptions.
- Search for a DNS signature to exclude by entering the name or FQDN.
- Select the checkbox for eachThreat IDof the DNS signature that you want to exclude from enforcement.
- ClickOKto save your new or modified Anti-Spyware profile.
- Add an allow list to specify a list of DNS domains / FQDNs to be explicitly allowed.
- Select .
- Select a profile to modify.
- Addor modify the Anti-Spyware profile from which you want to exclude the threat signature, and selectDNS Exceptions.
- ToAdda new FQDN allow list entry, provide the DNS domain or FQDN location and a description.
- ClickOKto save your new or modified Anti-Spyware profile.
PAN-OS 9.1
Allow and block lists are not available
in PAN-OS 9.1.
- Add domain signature exceptions in cases where false-positives occur.
- Select .
- Select a profile to modify.
- Addor modify the Anti-Spyware profile from which you want to exclude the threat signature, and selectDNS Signatures > Exceptions.
- Search for a DNS signature to exclude by entering the name or FQDN.
- Select theDNS Threat IDfor the DNS signature that you want to exclude from enforcement.
- ClickOKto save your new or modified Anti-Spyware profile.