To begin investigating the alert, use the threat ID
to search the Threat logs on Panorama (
From the Threat logs, you can find the IP address of the victim,
export the packet capture (PCAP) by clicking the download icon
in the log entry, and use a network
analyzer tool such as WireShark to review the packet details. In
the HTTP case, look for a malformed or bogus HTTP REFERER in the protocol,
suspicious host, URL strings, the user agent, the IP address and
port in order to validate the incident. Data from these pcaps is
also useful in searching for similar data patterns and creating
custom signatures or modifying security policy to better address
the threat in the future.
As a result of this manual review, if you feel confident about
the signature, consider transitioning the signature from an alert
action to a block action for a more aggressive approach. In some
cases, you may choose to add the attacker IP to an IP block list
to prevent further traffic from that IP address from reaching the
If you see a DNS-based spyware signature, the IP address
of your local DNS server might display as the
address. Often this is because the firewall is located
north of the local DNS server, and so DNS queries show the local
DNS server as the source IP rather than showing the IP address of
the client that originated the request.
If you see this issue,
enable the DNS sinkholing action in the Anti-Spyware profile in
security rules to identify the infected hosts on your network. DNS
sinkholing allows you to control outbound connections to malicious
domains and redirect DNS queries to an internal IP address that is
unused; the sinkhole that does not put out a response. When a compromised
host initiates a connection to a malicious domain, instead of going
out to the internet, the firewall redirects the request to the IP
address you defined and it is sinkholed. Now, reviewing the traffic
logs for all hosts that connected to the sinkhole allows you locate
all compromised hosts and take remedial action to prevent the spread.
To continue with the investigation on the incident, use the information
on the attacker and the victim IP address to find out more information,
Where is the attacker located geographically? Is the
IP address an individual IP address or a NATed IP address?
Was the event caused by a user being tricked into going to
a website, a download, or was it sent through an email attachment?
Is the malware being propagated? Are there other compromised
hosts/endpoints on the network?
Is it a zero-day vulnerability?
The log details
for each log entry
display the related logs for the event. This information points
you to the Traffic, Threat, URL Filtering or other logs that you
can review and correlate the events that led to the incident. For
example, filter the Traffic log (
using the IP address as both the source and the destination IP to
get a complete picture of all the external and internal hosts/clients
with which this victim IP address has established a connection.