https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-detect-domain-fronting/m-p/486311#M1621 <P>My customer had a query how PA detects Domain Fronting in PanOS, how it is logged and how it can be mitigated.&nbsp; This document helped:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-new-features/content-inspection-features/domain-fronting-detection" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-new-features/content-inspection-features/domain-fronting-detection</A></P> <P>&nbsp;</P> Wed, 11 May 2022 08:50:34 GMT bgriffin 2022-05-11T08:50:34Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-detect-domain-fronting/m-p/253882#M508 <P>Hi,</P><P>&nbsp;</P><P>did anyone manage to write a custom signature to detect domain fronting?</P><P>PA extracts the Host header, so in theory it should be possible to detect if the Host header is different from the URL?</P><P>&nbsp;</P><P>Alternatively, if one could log the Host header one could develop external detection logic in a SIEM.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp; &nbsp; Andreas</P> Fri, 15 Mar 2019 10:31:19 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-detect-domain-fronting/m-p/253882#M508 AndreasB 2019-03-15T10:31:19Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-detect-domain-fronting/m-p/255946#M527 <P>Check Anti-spyware signature 14984.</P> <P>Documentation is available at:</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/enable-evasion-signatures" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/enable-evasion-signatures</A></P> Wed, 03 Apr 2019 17:53:58 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-detect-domain-fronting/m-p/255946#M527 mivaldi 2019-04-03T17:53:58Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-detect-domain-fronting/m-p/486311#M1621 <P>My customer had a query how PA detects Domain Fronting in PanOS, how it is logged and how it can be mitigated.&nbsp; This document helped:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-new-features/content-inspection-features/domain-fronting-detection" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-new-features/content-inspection-features/domain-fronting-detection</A></P> <P>&nbsp;</P> Wed, 11 May 2022 08:50:34 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/how-to-detect-domain-fronting/m-p/486311#M1621 bgriffin 2022-05-11T08:50:34Z