Enable DNS Security
Configure your firewall to enable DNS sinkholing using the DNS Security service.
To enable DNS sinkholing for domain queries using DNS security, you must activate your DNS Security subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security service, enable the sinkhole action, and attach the profile to a security policy rule.
- Activate Subscription Licenses.
- Configure DNS signature policy settings to send malware
DNS queries to the defined sinkhole.
- Select ObjectsSecurity ProfilesAnti-Spyware.
- Create or modify an existing profile, or select one of the existing default profiles and clone it.
- Name the profile and, optionally, provide a description.
- Select the DNS Signatures>Policies & Settings tab.
- If the Palo Alto NetworksDNS Security source is not present, click Add and select it from the list.
- Select an action to be taken when DNS lookups are made to known malware sites for the DNS Security signature source. The options are alert, allow, block, or sinkhole. Verify that the action is set to sinkhole.
- (Optional) In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended-capture to set between 1-50 packets. You can then use the packet captures for further analysis.
- In the DNS
Sinkhole Settings section, verify that Sinkhole is
enabled. For your convenience, the default Sinkhole address (sinkhole.paloaltonetworks.com)
is set to access a Palo Alto Networks server. Palo Alto Networks
can automatically refresh this address through content updates.If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
- Click OK to save the Anti-Spyware profile.
- Attach the Anti-Spyware profile to a Security policy
- Select PoliciesSecurity.
- Select or create a Security Policy Rule.
- On the Actions tab, select the Log at Session End check box to enable logging.
- In the Profile Setting section, click the Profile Type drop-down to view all Profiles. From the Anti-Spyware drop-down and select the new or modified profile.
- Click OK to save the policy rule.
- Test that the policy action is enforced.
- Access the following test domains to verify that the policy action for a given threat type is being enforced:
- To monitor the activity on the firewall:
- Select ACC and add a URL Domain as a global filter to view the Threat Activity and Blocked Activity for the domain you accessed.
- Select MonitorLogsThreat and filter by (action eq sinkhole) to view logs on sinkholed domains.
- Identify Infected Traffic Hosts in the Traffic Logs
- (Optional) Add domain signature exceptions in cases where
- Select ObjectsSecurity ProfilesAnti-Spyware.
- Select a profile to modify.
- Add or modify the Anti-Spyware profile from which you want to exclude the threat signature, and select DNS Signatures > Exceptions.
- Search for a DNS signature to exclude by entering the name or FQDN.
- Select the DNS Threat ID for the DNS signature that you want to exclude from enforcement.
- Click OK to save your new or modified Anti-Spyware profile.
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule to detect connections initiated by spyware and ...
Configure DNS Sinkholing for a List of Custom Domains
Configure DNS Sinkholing for a List of Custom Domains To enable DNS Sinkholing for a custom list of domains, you must create an External Dynamic ...
Configure the Sinkhole IP Address to a Local Server on Your...
Configure the Sinkhole IP Address to a Local Server on Your Network By default, sinkholing is enabled for all Palo Alto Networks DNS signatures, and ...
Identify Infected Hosts
See Infected Hosts that Attempted to Connect to a Malicious Domain After you have configured DNS sinkholing and verified that traffic to a malicious domain ...
Use DNS Queries to Identify Infected Hosts on the Network
Use DNS Queries to Identify Infected Hosts on the Network The DNS sinkhole action in Anti-Spyware profiles enables the firewall to forge a response to ...
Create the Data Center Best Practice Anti-Spyware Profile
Protect your data center from spyware such as command-and-control, backdoor, data theft, and keylogging attacks. ...
Review Threat Logs
Review Threat Logs To begin investigating the alert, use the threat ID to search the Threat logs on Panorama ( Monitor Logs Threat ). From ...
Enable Evasion Signatures
Enable Evasion Signatures Palo Alto Networks evasion signatures detect crafted HTTP or TLS requests, and can alert to instances where a client connects to a ...
Actions in Security Profiles
Actions in Security Profiles The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo ...