Enter a profile name (up to 31 characters). This name appears in the list of Anti-Spyware profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.

Enter a description for the profile (up to 255 characters).

Select this option if you want the profile to be available to:

Select this option to prevent administrators from overriding the settings of this Anti-Spyware profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.

Specify the rule name.

Enter

any

to match all signatures, or enter text to match any signature containing the entered text as part of the signature name.

Choose a severity level (

critical

,

high

,

medium

,

low

, or

informational

).

Choose an action for each threat. For a list of actions, see Actions in Security Profiles.

Select this option if you want to capture identified packets.

Select

single-packet

to capture one packet when a threat is detected, or select the

extended-capture

option to capture from 1 to 50 packets. Extended-capture will provides much more context to the threat when analyzing the threat logs. To view the packet capture, select

Monitor

Logs

Threat

and locate the log entry you are interested in and then click the green down arrow in the second column. To define the number of packets that should be captured, select

Device

Setup

Content-ID

and then edit the Content-ID™ Settings.

Packet captures will only occur if the action is allow or alert. If the block action is set, the session is ended immediately.

Select

Enable

for each threat for which you want to assign an action, or select

All

to respond to all listed threats. The list depends on the selected host, category, and severity. If the list is empty, there are no threats for the current selections.

Use the IP Address Exemptions column to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature will only be taken over the rule's action if the signature is triggered by a session having either the source or destination IP matching an IP in the exception. You can add up to 100 IP addresses per signature. With this option, you do not have to create a new policy rule and new vulnerability profile to create an exception for a specific IP address.

Allows you to select the lists for which you want to enforce an action when a DNS query occurs. By default, the list of DNS signatures provided through content updates (Palo Alto Networks DNS Signatures list) is sinkholed. The default IP address used for sinkholing belongs to Palo Alto Networks (72.5.65.111). This IP address is not static and can be modified through content updates on the firewall or Panorama.

To add a new list, click

Add

and select the External Dynamic List of type Domain that you had created. To create a new list, see Objects > External Dynamic Lists.

Choose an action to be taken when DNS lookups are made to known malware sites. The options are alert, allow, block, or sinkhole. The default action for Palo Alto Networks DNS signatures is sinkhole.

The DNS sinkhole action provides administrators with a method of identifying infected hosts on the network using DNS traffic, even when the firewall is north of a local DNS server (for example, the firewall cannot see the originator of the DNS query). When a threat prevention license is installed and an Anti-Spyware profile is enabled in a Security Profile, the DNS-based signatures will trigger on DNS queries directed at malware domains. In a typical deployment where the firewall is north of the local DNS server, the threat log will identify the local DNS resolver as the source of the traffic rather than the actual infected host. Sinkholing malware DNS queries solves this visibility problem by forging responses to the queries directed at malicious domains, so that clients attempting to connect to malicious domains (for command-and-control, for example) instead attempt connections to an IP address specified by the administrator. Infected hosts can then be easily identified in the traffic logs because any host that attempts to connect to the sinkhole IP are most likely infected with malware.

After selecting the sinkhole action, specify an IPv4 and/or IPv6 address that will be used for sinkholing. By default, the sinkhole IP address is set to a Palo Alto Networks server. You can then use the traffic logs or build a custom report that filters on the sinkhole IP address and identify infected clients.

The following is the sequence of events that will occur when an DNS request is sinkholed:

Malicious software on an infected client computer sends a DNS query to resolve a malicious host on the internet.

The client's DNS query is sent to an internal DNS server, which then queries a public DNS server on the other side of the firewall.

The DNS query matches a DNS entry in the DNS signatures database, so the sinkhole action will be performed on the query.

The infected client then attempts to start a session with the host, but uses the forged IP address instead. The forged IP address is the address defined in the Anti-Spyware profile DNS Signatures tab when the sinkhole action is selected.

The administrator is alerted of a malicious DNS query in the threat log, and can then search the traffic logs for the sinkhole IP address and can easily locate the client IP address that is trying to start a session with the sinkhole IP address.

Select this option if you want to capture identified packets.