Create Domain Exceptions and Allow | Block Lists
Focus
Focus
DNS Security

Create Domain Exceptions and Allow | Block Lists

Table of Contents

Create Domain Exceptions and Allow | Block Lists

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
  • VM-Series
  • CN-Series Firewall
  • DNS Security License
  • Advanced Threat Prevention or Threat Prevention License
DNS Security creates threat signatures for domains that have been analyzed by the DNS Security service. For these known domains, the signatures are referenced when a DNS query is received. In some cases, it might be possible that the signature has incorrectly categorized a domain as a threat, due to certain features or qualities present in the domain. In such circumstances, you can add signature exceptions to bypass these false-positives. If there are known safe domains that are categorized as malicious, such as internal domains, you can add a list of domains that will bypass any DNS analysis. If your organization uses third party threat feeds as part of a comprehensive threat intelligence solution, you can also reference those in the form of external dynamic lists (EDLs) in your DNS Security profile.

Cloud Management

  1. Use the credentials associated with your Palo Alto Networks support account and log in to the
    Strata Cloud Manager
    on the hub.
  2. Add domain overrides in cases where false-positives occur.
    1. Select
      Manage
      Configuration
      NGFW and
      Prisma Access
      Security Services
      DNS Security
      and select a DNS Security profile to modify.
    2. Add Override
      or
      Delete
      to modify the domain list entries as necessary. Each additional entry requires the domain and a description.
    3. Click
      OK
      to save your modified DNS Security profile.
  3. Reference an external dynamic list (EDL) as part of your DNS Security profile to import third party threat feeds.
    1. Create an domain-based external dynamic list (
      Manage
      Configuration
      NGFW and
      Prisma Access
      Objects
      External Dynamic Lists
      ). For more information about EDLs, see External Dynamic List.
    2. Select
      Manage
      Configuration
      NGFW and
      Prisma Access
      Security Services
      DNS Security
      .
    3. In the
      External Dynamic Lists
      panel, select a domain list EDL and provide the
      Policy Action
      and
      Packet Capture
      settings. In
      Apply to Profiles
      , select the DNS Security profile for which you want the EDL domain list to apply to.
    4. Save
      your changes when you have finished making your updates.

PAN-OS & Panorama

PAN-OS 10.0 and later releases provide an additional option to explicitly add allowable domains through the Anti-Spyware security profile. You can add domain/FQDN entries for approved domain sources if they trigger a false-positive response from DNS Security.

PAN-OS 10.0 and later

  • Add domain signature exceptions in cases where false-positives occur.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Select a profile to modify.
    3. Add
      or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select
      DNS Exceptions
      .
    4. Search for a DNS signature to exclude by entering the name or FQDN.
    5. Select the checkbox for each
      Threat ID
      of the DNS signature that you want to exclude from enforcement.
    6. Click
      OK
      to save your new or modified Anti-Spyware profile.
  • Add an allow list to specify a list of DNS domains / FQDNs to be explicitly allowed.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Select a profile to modify.
    3. Add
      or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select
      DNS Exceptions
      .
    4. To
      Add
      a new FQDN allow list entry, provide the DNS domain or FQDN location and a description.
    5. Click
      OK
      to save your new or modified Anti-Spyware profile.

PAN-OS 9.1

Allow and block lists are not available in PAN-OS 9.1.
  • Add domain signature exceptions in cases where false-positives occur.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      .
    2. Select a profile to modify.
    3. Add
      or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select
      DNS Signatures > Exceptions
      .
    4. Search for a DNS signature to exclude by entering the name or FQDN.
    5. Select the
      DNS Threat ID
      for the DNS signature that you want to exclude from enforcement.
    6. Click
      OK
      to save your new or modified Anti-Spyware profile.

Recommended For You