Enable Evasion Signatures
Palo Alto Networks evasion signatures detect crafted HTTP or TLS requests, and can alert to instances where a client connects to a domain other than the domain specified in a DNS query. Evasion signatures are effective only when the firewall is also enabled to act as a DNS proxy and resolve domain name queries. As a best practice, take the following steps to enable evasion signatures.
- Enable a firewall intermediate to clients and
servers to act as a DNS proxy.Configure a DNS Proxy Object, including:
- Specify the interfaces on which you want the firewall to listen for DNS queries.
- Define the DNS servers with which the firewall communicates to resolve DNS requests.
- Set up static FQDN-to-IP address entries that the firewall can resolve locally, without reaching out to DNS servers.
- Enable caching for resolved hostname-to-IP-address mappings.
- Get the latest Applications and Threats content version
(at least content version 579 or later).
- Select DeviceDynamic Updates.
- Check Now to get the latest Applications and Threats content update.
- Download and Install Applications and Threats content version 579 (or later).
- Define how the firewall should enforce traffic matched
to evasion signatures.
- Select ObjectsSecurity ProfilesAnti-Spyware and Add or modify an Anti-spyware profile.
- Select Exceptions and select Show all signatures.
- Filter signatures based on the keyword evasion.
- For all evasion signatures, set the Action to any setting other than allow or the default action (the default action is for evasion signatures is allow). For example, set the Action for signature IDs 14978 and 14984 to alert or drop.
- Click OK to save the updated Anti-spyware profile.
- Attach the Anti-spyware profile to a security policy rule: Select PoliciesSecurity, select the desired policy to modify and then click the Actions tab. In Profile Settings, click the drop-down next to Anti-Spyware and select the anti-spyware profile you just modified to enforce evasion signatures.
- Commit your changes.Click Commit.
Best Practices for Securing Your Network from Layer 4 and L...
Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions To monitor and protect your network from most Layer 4 and Layer ...
DNS Overview DNS performs a crucial role in enabling user access to network resources so that users need not remember IP addresses and individual computers ...
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule to detect connections initiated by spyware and ...
Configure a DNS Proxy Object
Configure a DNS Proxy Object If your firewall is to act as a DNS proxy, perform this task to configure a DNS Proxy Object . ...
Create Threat Exceptions
Create Threat Exceptions Palo Alto Networks defines a recommended default action (such as block or alert) for threat signatures. You can use a threat ID ...
Enable DNS Security
Configure your firewall to enable DNS sinkholing using the DNS security service. ...
Threat Signature Categories
Threat Signature Categories There are three types of Palo Alto Networks threat signatures, each designed to detect different types of threats as the firewall scans ...
Threat Prevention The Palo Alto Networks® next-generation firewall protects and defends your network from commodity threats and advanced persistent threats (APTs). The multi-pronged detection mechanisms ...
Configure DNS Sinkholing for a List of Custom Domains
Configure DNS Sinkholing for a List of Custom Domains To enable DNS Sinkholing for a custom list of domains, you must create an External Dynamic ...