https://live.paloaltonetworks.com/t5/general-topics/blocking-punycode-urls/m-p/299990#M78442 <P>We have PA-820's and I have been looking for a way to leverage them to block punycode attacks.&nbsp; In fact, we'd be pretty OK with blocking punycode URLs altogether.&nbsp; I just haven't been able to puzzle out a way to do it.&nbsp; If I add xn--* to the URL filter block list, it complains that I have multiple wildcards.&nbsp; If it add just xn-- the firewall accepts it, but it just doesn't work, nothing is blocked.&nbsp; It was the same result when I tried to create a custom URL category.&nbsp; Is this something that can even be done at the firewall level, or should I look to address this on the DNS side?</P> Thu, 21 Nov 2019 17:31:38 GMT g2o-admin 2019-11-21T17:31:38Z https://live.paloaltonetworks.com/t5/general-topics/blocking-punycode-urls/m-p/299990#M78442 <P>We have PA-820's and I have been looking for a way to leverage them to block punycode attacks.&nbsp; In fact, we'd be pretty OK with blocking punycode URLs altogether.&nbsp; I just haven't been able to puzzle out a way to do it.&nbsp; If I add xn--* to the URL filter block list, it complains that I have multiple wildcards.&nbsp; If it add just xn-- the firewall accepts it, but it just doesn't work, nothing is blocked.&nbsp; It was the same result when I tried to create a custom URL category.&nbsp; Is this something that can even be done at the firewall level, or should I look to address this on the DNS side?</P> Thu, 21 Nov 2019 17:31:38 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-punycode-urls/m-p/299990#M78442 g2o-admin 2019-11-21T17:31:38Z https://live.paloaltonetworks.com/t5/general-topics/blocking-punycode-urls/m-p/300029#M78447 <P>Hello,</P><P>I am going to assume this is for outbound traffic. If yes then there are several things to do in conjunction.</P><P>In your Vulnerability profile, enable DNSSink hole.&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0</A></P><P>&nbsp;</P><P>Next I would block by web category, blocking the obvious bad stuff.</P><P>abused-drugs, adult, alcohol-tobacco, command and control, copyright-infingment, crypto-currency, dynamic-dns, hacking, high-risk, insufficient-content, malware, medium-risk, newly-registered-domin, not-resolved, parked, phishing, private-ip-address, proxy avoidance and anonymizers, questionable, shareware and freeware, unknown, web-advertisements</P><P>&nbsp;</P><P>Externally have only your DNS servers be able to go our and get external DNS requests. Also use a secure service such as OpenDNS, cloudflare, Quad9, etc. And block the end users from exiting your environment over DNS externally.</P><P>&nbsp;</P><P>Setup external dynamic lists, along with the PAN builtin ones, i have the following setup.</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list</A></P><P>Source on PAN support:</P><P><A href="https://live.paloaltonetworks.com/message/54183#54183" target="_blank" rel="noopener">https://live.paloaltonetworks.com/message/54183#54183</A></P><P>&nbsp;</P><P>Sans notes on this:</P><P><A href="https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall/19365/" target="_blank" rel="noopener">https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall/19365/</A></P><P>&nbsp;</P><P>Others listed on this site:</P><P><A href="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt" target="_blank" rel="noopener">http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt</A></P><P><A href="http://malc0de.com/bl/IP_Blacklist.txt" target="_blank" rel="noopener">http://malc0de.com/bl/IP_Blacklist.txt</A></P><P><A href="http://panwdbl.appspot.com/lists/openbl.txt" target="_blank" rel="noopener">http://panwdbl.appspot.com/lists/openbl.txt</A></P><P><A href="http://panwdbl.appspot.com/" target="_blank" rel="noopener">http://panwdbl.appspot.com/</A></P><P><A href="http://cinsscore.com/list/ci-badguys.txt" target="_blank" rel="noopener">http://cinsscore.com/list/ci-badguys.txt</A></P><P>&nbsp;</P><P>Make sure you are performing SSL decrypt to ensure you are seeing the traffic.</P><P>&nbsp;</P><P>This should get you started and not having to use a wildcard to block everything.</P><P>&nbsp;</P><P>Regards,</P> Thu, 21 Nov 2019 20:44:41 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-punycode-urls/m-p/300029#M78447 OtakarKlier 2019-11-21T20:44:41Z