https://live.paloaltonetworks.com/t5/advanced-threat-prevention/severity-high-and-medium-action-are-getting-allow-instead-of/m-p/365640#M984 <P>URL's are HTTP traffic, so they don't get sinkholed. URL's are subject to URL Filtering.</P> <P>Sinkhole is applied to domains, which is DNS traffic.</P> <P>&nbsp;</P> <P>Please open a Support case so we can work with you and understand the question better.</P> <P>We can come back to this post at the end of the case to share our findings with the community.</P> Wed, 25 Nov 2020 18:40:34 GMT mivaldi 2020-11-25T18:40:34Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/severity-high-and-medium-action-are-getting-allow-instead-of/m-p/364185#M978 <P>Hi All,</P><P>After upgrade to 9.1.5, i noticed the Severity level high and medium threat actions are allowed and some of them are getting sinkhole. Please let us know if anyone knows why it's getting alert instead of the block in high severity. Attached screenshots</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DNS-Issue-Not block.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28717i03BDE17C490B9529/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="DNS-Issue-Not block.png" alt="DNS-Issue-Not block.png" /></span></P> Thu, 19 Nov 2020 16:04:02 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/severity-high-and-medium-action-are-getting-allow-instead-of/m-p/364185#M978 CyberEye 2020-11-19T16:04:02Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/severity-high-and-medium-action-are-getting-allow-instead-of/m-p/364596#M979 <P>The Severity based rules are for Anti-Spyware. There is no Severity based rules for Anti-Spyware DNS.</P> <P>For Anti-Spyware DNS, you define actions based on Content DNS signatures, DNS Security DNS Categories, or EDL's of type Domain.</P> <P>&nbsp;</P> Fri, 20 Nov 2020 20:36:33 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/severity-high-and-medium-action-are-getting-allow-instead-of/m-p/364596#M979 mivaldi 2020-11-20T20:36:33Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/severity-high-and-medium-action-are-getting-allow-instead-of/m-p/364615#M980 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/34186">@mivaldi</a>&nbsp;thanks for reply.</P><P>&nbsp;</P><P>So is this expected behaviour? The same url it's getting sinkhole alternatively. I cross checked same in other firewall which is running 9.0 os and confirmed all the high, Medium and critical named as DGA Domain and spyware type are sinkholed.</P> Fri, 20 Nov 2020 21:10:20 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/severity-high-and-medium-action-are-getting-allow-instead-of/m-p/364615#M980 CyberEye 2020-11-20T21:10:20Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/severity-high-and-medium-action-are-getting-allow-instead-of/m-p/365640#M984 <P>URL's are HTTP traffic, so they don't get sinkholed. URL's are subject to URL Filtering.</P> <P>Sinkhole is applied to domains, which is DNS traffic.</P> <P>&nbsp;</P> <P>Please open a Support case so we can work with you and understand the question better.</P> <P>We can come back to this post at the end of the case to share our findings with the community.</P> Wed, 25 Nov 2020 18:40:34 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/severity-high-and-medium-action-are-getting-allow-instead-of/m-p/365640#M984 mivaldi 2020-11-25T18:40:34Z