With PAN-OS 7.1.1, you can enable evasion prevention for policy rules that block or allow traffic based on URL category and/or application. Setting up this evasion prevention feature enables the firewall to check that the hostname or SNI indicated in an initial HTTP or TLS request corresponds to the destination IP address for the connecting client.
This feature is supported only with PAN-OS 7.1.1 and later release versions.
Prevent HTTP Hostname and TLS SNI Evasions
Install the Applications and Threats content version 579 or a later version. Applications and Threats content updates require an active Threat Prevention license. Select Device > Dynamic Updates. Check Now to get the latest Applications and Threats content update. Download and Install Applications and Threats content version 579 or a later version.
Upgrade the Firewall to PAN-OS 7.1.1 .
Enforce traffic matching the evasion signature IDs 14984 and 14978. The default action for both of these signatures is allow; to enable this feature to work seamlessly, ensure that both signatures are set to any action other than allow or default. Select Objects > Security Profiles > Anti-Spyware and Add or modify an Anti-spyware profile. Select Exceptions and select Show all signatures. Filter signatures based on the keyword evasion. For the signatures 14978 and 14984, set the Action to any setting other than allow and default (for example, set the Action to alert or block on). Click OK to save the updated Anti-spyware profile. Attach the Anti-spyware profile to a security policy rule: Select Policies > Security, select the desired policy to modify and then click the Actions tab. In Profile Settings, click the drop-down next to Anti-Spyware and select the anti-spyware profile enabled to enforce the evasion signatures 14978 and 14984.
Enable the firewall to act as a DNS proxy. When DNS proxy is enabled, evasion signatures that detect crafted HTTP or TLS requests can alert to instances where a client connects to a domain other than the domain specified in the original DNS request. If you do not enable DNS proxy along with the evasion signatures ( Step 3), the signatures will trigger when a DNS server in a load balancing configuration returns different IP addresses (for servers hosting identical resources) to the firewall and the client in response to the same DNS request.
Commit your changes.

Related Documentation