topic Re: Exception for DNS signature which is showing the ID as 0 and FQDN as un in Advanced Threat Prevention Discussions

Exception for DNS signature which is showing the ID as 0 and FQDN as unknow

CyberEye — Sun, 12 Jul 2020 15:18:13 GMT

Getting false positive for the Link tivoli.com.qa as threat name(68360795).Its getting DNS sinkholing.Can anyone help to know how we give the exception only for the threat ID 68360795 and the Fqdn is tivoli.com.qa. Attached screenshots below

Re: Exception for DNS signature which is showing the ID as 0 and FQDN as un

CyberEye — Mon, 13 Jul 2020 12:52:42 GMT

The firewall which am using shows an the signature's name as unknown signature and FQDN as showing as unknown-fqdn

Re: Exception for DNS signature which is showing the ID as 0 and FQDN as un

hisingh — Mon, 13 Jul 2020 15:38:20 GMT

Hello @CyberEye

This seems to be a signature due to DNS security. Can you post the detailed threat logs so I can confirm?

Also, this signature is been replaced that means it is not included in the current release, you should not have any issue with this signature.

Best

Himani

Re: Exception for DNS signature which is showing the ID as 0 and FQDN as un

CyberEye — Mon, 13 Jul 2020 16:43:08 GMT

Hi @hisingh

Yes the signature due to DNS security.The firewall which am using all the signatures are currently showing as unknown signature and Unknown fqdn. Attached screenshot below

Same i checked another firewall which is having same AV nd APT versions. Am also trying to give an exception for 68360795 but which also showing as unknown in my FW.

Re: Exception for DNS signature which is showing the ID as 0 and FQDN as un

hisingh — Mon, 13 Jul 2020 17:21:27 GMT

Hello,

Please share the detailed threat logs, you have shared the spyware security profile -> threat exception. I am looking for monitor->threat logs-> detailed view.

Also, this signature is replaced so you will have no issue within it.

Finally, please check this: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPdBCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Best

Himani

Re: Exception for DNS signature which is showing the ID as 0 and FQDN as un

CyberEye — Mon, 13 Jul 2020 18:14:21 GMT

Hi @hisingh ,

Thanks for your reply.Please find the detailed threat log for ID 68360795

as mentioned before most 68360795 is unknow in my firewall also most of the signatures are unknown. I checked in another firewall which is having same content version and i can see the 68360795 is

visible.But same in my firewall showing as unknown.If you can check the previous screenshots related to exception you can see the ID eg: 327772845 which is also showing as unknown.For confirming please check this ID in your FW

Re: Exception for DNS signature which is showing the ID as 0 and FQDN as un

NijithPN — Tue, 14 Jul 2020 19:39:30 GMT

Did you check the threat vault connectivity from PA devices.

Test connectivity to the Threat Vault using:
> test threat-vault connection

or you can check it from System logs.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0BCAW

Re: Exception for DNS signature which is showing the ID as 0 and FQDN as un

CyberEye — Tue, 14 Jul 2020 19:56:16 GMT

Hi Nijith,

Thanks for your commments. Now its working after changing the DNS to public.