Enable Evasion Signatures

Palo Alto Networks evasion signatures detect crafted HTTP or TLS requests, and can alert to instances where a client connects to a domain other than the domain specified in a DNS query. Evasion signatures are effective only when the firewall is also enabled to act as a DNS proxy and resolve domain name queries. As a best practice, take the following steps to enable evasion signatures.
  1. Enable a firewall intermediate to clients and servers to act as a DNS proxy.
    • Specify the interfaces on which you want the firewall to listen for DNS queries.
    • Define the DNS servers with which the firewall communicates to resolve DNS requests.
    • Set up static FQDN-to-IP address entries that the firewall can resolve locally, without reaching out to DNS servers.
    • Enable caching for resolved hostname-to-IP-address mappings.
  2. Get the latest Applications and Threats content version (at least content version 579 or later).
    1. Select
      Device
      Dynamic Updates
      .
    2. Check Now
      to get the latest Applications and Threats content update.
    3. Download and Install Applications and Threats content version 579 (or later).
  3. Define how the firewall should enforce traffic matched to evasion signatures.
    1. Select
      Objects
      Security Profiles
      Anti-Spyware
      and
      Add
      or modify an Anti-spyware profile.
    2. Select
      Exceptions
      and select
      Show all signatures
      .
    3. Filter signatures based on the keyword
      evasion
      .
    4. For all evasion signatures, set the
      Action
      to any setting other than allow or the default action (the default action is for evasion signatures is allow). For example, set the
      Action
      for signature IDs 14978 and 14984 to
      alert
      or
      drop
      .
    5. Click
      OK
      to save the updated Anti-spyware profile.
    6. Attach the Anti-spyware profile to a security policy rule: Select
      Policies
      Security
      , select the desired policy to modify and then click the
      Actions
      tab. In Profile Settings, click the drop-down next to
      Anti-Spyware
      and select the anti-spyware profile you just modified to enforce evasion signatures.
  4. Commit your changes.
    Click
    Commit
    .

Related Documentation