topic Re: DNS Security and Untrust to Untrust Alerts in Advanced Threat Prevention Discussions

DNS Security and Untrust to Untrust Alerts

JasonPeterson — Thu, 29 Jul 2021 00:06:20 GMT

We are currently doing a trial of the DNS Security license on our firewalls. After enabling I am seeing a decent amount of alerts coming into XDR for DNS Tunneling. However when looking at the alerts they are all coming in from the Intrazone Untrust rule.

Can we put an exclusion on these alerts or do we have a potential issue that we need to address, and if so how?

Re: DNS Security and Untrust to Untrust Alerts

Balistrerifd — Fri, 27 Aug 2021 17:53:57 GMT

So I have been running Palo Alto just shy of a year now, and as I look at my logging it occurs to me that aside from testing against EICARS I have never seen Wildfire or AV trigger "in the wild".

My organization has full endpoint protection and the firewall has enough policies including SSL decryption that it should be protecting my users from ending up at places where they would get bad things. In addition we have a reasonably solid cyber security training program in place.

Still I find it somewhat unbelievable this thing has never triggered. In fact not even an AV alert either. Plenty of traffic based alerts and actions though coming from the untrust zone.... but no AV alerts, no Wildfire uploads...

Whats your experience?

Re: DNS Security and Untrust to Untrust Alerts

JasonPeterson — Thu, 26 Aug 2021 22:40:32 GMT

If you don't have wildfire uploads sounds like it might not be configured. What are the settings on your wildfire analysis profile and is that applied to your rules?

Re: DNS Security and Untrust to Untrust Alerts

yblancovar — Thu, 26 Aug 2021 23:17:12 GMT

Alerts triggered by DNS security are part of the actions defined in your anti-spyware profile, hence following a logic that those are typically triggered by traffic coming from the intrazone (trust) to Untrust. I'd recommend investigating those alerts with TAC (open a case) before adding an exception. That could be the case of a False Positive in which case the signature triggered is modified or removed and you don't need to do anything in XDR; or could be the case of a true detection in which case the system is protecting you by blocking the access to a potentially malicious domain. In your screenshot, I can see those packets are being sinkholed so unless you are getting complaints that benign traffic is being dropped I'd consider a further investigation and discard infected hosts.

Re: DNS Security and Untrust to Untrust Alerts

yblancovar — Thu, 26 Aug 2021 23:41:01 GMT

I agree with @JasonPeterson. Antivirus and Wildfire detection capabilities are focused on file analysis. So it could be that the current configuration might not be analyzing every file type supported or the firewall is not uploading samples for Wildfire analysis. If I don't see Wildfire uploads I'd have a case opened. You can also test by enabling the reports of benign samples (Device-->Wildfire-->General Settings-->Report Bening Files) in which case you'd confirm that all files are analyzed.

Re: DNS Security and Untrust to Untrust Alerts

alexander84 — Fri, 27 Aug 2021 11:27:45 GMT

@JasonPeterson wrote:
If you don't have wildfire uploads sounds like it might not be configured. What are the settings on your wildfire analysis profile and is that applied to your rules?

Exactly, I also agreed with @JasonPeterson thanks for response.