topic Re: Internal IP's hitting sinkhole policy in Next-Generation Firewall Discussions

Internal IP's hitting sinkhole policy

cdcirexx — Mon, 10 Mar 2025 17:11:38 GMT

Hello all,

We have a sinkhole configured on our PA440, and we're seeing some IP's hitting it and getting sinkholed, there's 1 endpoint that's an old NT4 legacy machine that runs on our production environment. And other ones that are windows and probably wifi endpoints like phones. I have no way of scanning the old NT4 box, and that only ran our production app made for manufacturing. The other endpoints showing on the sinkhole log that are windows 10 do have anti malware and is monitored by our mssp. Should I open a PAN support ticket and have then analyze pcaps?

Thanks in advanced.

Re: Internal IP's hitting sinkhole policy

TomYoung — Mon, 10 Mar 2025 18:01:36 GMT

Hi @cdcirexx ,

If you have Premium support on your NGFW, you could open a PANW support ticket with the Security Assurance service. https://www.paloaltonetworks.com/services/solution-assurance/premium-support

If you don't have Premium support, I do not know if they will help you.

The most common causes of DNS sinkholes in my environment have been (1) ads where a safe website redirected the user to a blocked domain, or (2) false positive such as mask.apple-dns.net which is blocked as a proxy avoidance or anonymizer. I think it is used by iCloud.

The 1st thing that you would want to do is determine the domain requested. If you do not have an internal DNS server or you have a NGFW between your user and DNS server, you can see the domain under Monitor > Logs > Threat ( action eq 'sinkhole' ). If you have an internal DNS server, the source IP address for those logs will be it. You would check the logs on the DNS server. If you have EDR software on the endpoint, it may also record the activity. Otherwise, you may need a packet capture as you mentioned.

After you determine the sinkholed domain, you will need to determine what process initiated the request. That's even harder. EDR software can help significantly.

Thanks,

Tom

Re: Internal IP's hitting sinkhole policy

cdcirexx — Mon, 10 Mar 2025 19:28:42 GMT

Hello Tomyoung,

Thanks for the reply, yeah we do have internal DNS and they show on the threat logs sinkholing a bunch of random domain names like zxxyyrf.com, I'm sure they are malicious domains. We have a mssp that's got things in place like SIEM and XDR from Fortinet, on our DC's they installed a device called Stellar cyber and it collects a bunch of logs. They said this would show up on their systems if something does come up.

So could those just be ads our internal clients are trying to reach out to? When I typed the ip address of the pan sinkhole, that's when I saw some endpoints reaching out to it. Our mssp thinks we have some kind of C2 that's reaching out to it's main hosts.

Thanks again.

Re: Internal IP's hitting sinkhole policy

OtakarKlier — Mon, 10 Mar 2025 21:39:33 GMT

Hello,

Unless required, I would lock down those systems into their own VLAN and locked down by security policies. As well as restrict access to the internet. If the systems are that old, maybe just keep blocking the traffic or find an older scanner that can scan the systems.

Regards,

Re: Internal IP's hitting sinkhole policy

TomYoung — Mon, 10 Mar 2025 21:47:28 GMT

Hi @cdcirexx ,

Those domains do not look good. They do not look like ads. @OtakarKlier has some good ideas about quarantining those devices. I would reach out to your SIEM/XDR MSSP for the next steps.

Thanks,

Tom

Re: Internal IP's hitting sinkhole policy

cdcirexx — Mon, 10 Mar 2025 22:30:46 GMT

Thanks to all the informative answers guys, I do have all my production machines in their own vlan and blocked from internet access. And after having a chat with our mssp, their advising to put a FG firewall in front of the PA440, I was trying to let them know if may not make a difference or might cause performance issues, they're concerned that the PA440 might have allowed the C2 malware in. Our company is working on getting our CMMC certification, so this is causing concern among upper management.

Re: Internal IP's hitting sinkhole policy

TomYoung — Mon, 10 Mar 2025 22:37:27 GMT

If it is a FG in L2 mode only for the incident, then fine. As long as it gets them looking at the machines. Their most pressing task is to do incident response (IR) on the machines. If they are arguing for a permanent solution, then they need to refocus on IR.

Re: Internal IP's hitting sinkhole policy

cdcirexx — Mon, 10 Mar 2025 22:44:07 GMT

Yes, I suggested to put the FG in transparent mode, I think they are agreeing on it, we'll see how it goes next week, we're supposed to meet with them on the next steps.

Re: Internal IP's hitting sinkhole policy

M.Pahlavanzadeh — Sun, 29 Mar 2026 18:47:24 GMT

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000PRR2CAO&lang=en_US