Enable Evasion Signatures

Palo Alto Networks evasion signatures detect crafted HTTP or TLS requests, and can alert to instances where a client connects to a domain other than the domain specified in a DNS query. Evasion signatures are effective only when the firewall is also enabled to act as a DNS proxy and resolve domain name queries. As a best practice, take the following steps to enable evasion signatures.
  1. Enable a firewall intermediate to clients and servers to act as a DNS proxy.
    • Specify the interfaces on which you want the firewall to listen for DNS queries.
    • Define the DNS servers with which the firewall communicates to resolve DNS requests.
    • Set up static FQDN-to-IP address entries that the firewall can resolve locally, without reaching out to DNS servers.
    • Enable caching for resolved hostname-to-IP-address mappings.
  2. Get the latest Applications and Threats content version (at least content version 579 or later).
    1. Select DeviceDynamic Updates.
    2. Check Now to get the latest Applications and Threats content update.
    3. Download and Install Applications and Threats content version 579 (or later).
  3. Define how the firewall should enforce traffic matched to evasion signatures.
    1. Select ObjectsSecurity ProfilesAnti-Spyware and Add or modify an Anti-spyware profile.
    2. Select Exceptions and select Show all signatures.
    3. Filter signatures based on the keyword evasion.
    4. For all evasion signatures, set the Action to any setting other than allow or the default action (the default action is for evasion signatures is allow). For example, set the Action for signature IDs 14978 and 14984 to alert or drop.
    5. Click OK to save the updated Anti-spyware profile.
    6. Attach the Anti-spyware profile to a security policy rule: Select PoliciesSecurity, select the desired policy to modify and then click the Actions tab. In Profile Settings, click the drop-down next to Anti-Spyware and select the anti-spyware profile you just modified to enforce evasion signatures.
  4. Commit your changes.
    Click Commit.

Related Documentation