https://live.paloaltonetworks.com/t5/general-topics/botnet-domain-alert-in-gui/m-p/7766#M5726 <HTML><HEAD></HEAD><BODY><P>This is found under the DNS Signatures tab of the Anti-Spyware Profile:</P><P></P><P><IMG alt="botnet-domains.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/6404_botnet-domains.png" width="450" /> </P><P></P><P>You can configure the action and whether or not to take a packet capture.</P><P>Note that the default two profiles, "default" and "strict" cannot be modified. You will have to create a new one as you have done to modify this setting.</P><P></P><P>Hope this helps!</P><P>Greg Wesson </P></BODY></HTML> Tue, 30 Apr 2013 17:09:52 GMT gwesson 2013-04-30T17:09:52Z https://live.paloaltonetworks.com/t5/general-topics/botnet-domain-alert-in-gui/m-p/7765#M5725 <HTML><HEAD></HEAD><BODY><P><BR />Hello,</P><P></P><P>on the cli show command I see under "XX Anti spyware" profile the botnet-domains policy but I'm not able to find it on GUI under object-securityprofiles -&gt; antispyware.</P><P>Where botnet-domain behavior is configured on GUI ?</P><P></P><P>thank's .. here below the Cli output:</P><P></P><P>spyware {</P><P>&nbsp; "XX Anti Spyware" {</P><P>&nbsp;&nbsp;&nbsp; rules {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; simple-critical {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; severity critical;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; packet-capture no;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; threat-name any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; category any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; action {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alert;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; simple-high {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; severity high;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; packet-capture no;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; threat-name any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; category any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; action {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alert;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; simple-medium {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; severity medium;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; packet-capture no;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; threat-name any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; category any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; action {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alert;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; simple-low {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; severity low;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; packet-capture no;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; threat-name any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; category any;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; action {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alert;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp; threat-exception {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 12652 {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; action {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; allow;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 20000 {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; action {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; allow;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp; <SPAN style="color: #ff0000;"><STRONG>botnet-domains {</STRONG></SPAN></P><P><SPAN style="color: #ff0000;"><STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; packet-capture no;</STRONG></SPAN></P><P><SPAN style="color: #ff0000;"><STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; action {</STRONG></SPAN></P><P><SPAN style="color: #ff0000;"><STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alert;</STRONG></SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</P><P>&nbsp;&nbsp;&nbsp; }</P><P>&nbsp; }</P></BODY></HTML> Tue, 30 Apr 2013 08:38:51 GMT https://live.paloaltonetworks.com/t5/general-topics/botnet-domain-alert-in-gui/m-p/7765#M5725 helenio.sartori 2013-04-30T08:38:51Z https://live.paloaltonetworks.com/t5/general-topics/botnet-domain-alert-in-gui/m-p/7766#M5726 <HTML><HEAD></HEAD><BODY><P>This is found under the DNS Signatures tab of the Anti-Spyware Profile:</P><P></P><P><IMG alt="botnet-domains.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/6404_botnet-domains.png" width="450" /> </P><P></P><P>You can configure the action and whether or not to take a packet capture.</P><P>Note that the default two profiles, "default" and "strict" cannot be modified. You will have to create a new one as you have done to modify this setting.</P><P></P><P>Hope this helps!</P><P>Greg Wesson </P></BODY></HTML> Tue, 30 Apr 2013 17:09:52 GMT https://live.paloaltonetworks.com/t5/general-topics/botnet-domain-alert-in-gui/m-p/7766#M5726 gwesson 2013-04-30T17:09:52Z