Configuration Articles

PAN-OS 7.1 Custom DNS Signatures Block List

by on ‎02-24-2016 06:32 AM - edited on ‎10-04-2016 07:52 PM by (42,774 Views)

Palo Alto Network customers might receive third-party threat intelligence that includes malicious domains that Palo Alto Networks may not have in its own signatures. A new PAN-OS 7.1 feature, supported on all PAN-OS devices running PAN-OS 7.1 or later, allows customers to create a custom DNS signatures block list.

 

 

Solution:

  • This new feature allows customers to add a custom list of domains to be used with the sinkhole functionality in the Anti-Spyware Profile.
  • This feature is supported on all PAN-OS devices, including M-100, M-500, and Panorama VM, running PAN-OS 7.1 or later.

Feature details:

  • A new custom DNS spyware signature is created for each item in the External Dynamic List (EDL)
    • The signature name for custom DNS sinkhole signatures will be "Suspicious DNS Query (full domain name)“
    • A new signature ID is created for each item in the list automatically with range in a pool
    • Signature type will be spyware, with medium severity
  • Restrictions
    • Up to 30 EDLs of any type are supported
    • Up to 50,000 domains are supported (system-wide)
      • If there are more than 50,000 domains, the first 50,000 are taken and a system log will be generated indicating that capacity has been exceeded
      • No limit on individual lists, but aggregate of all lists cannot exceed 50,000
  • High-End Platform Capacity (PA-5000 and PA-7000)
    • Up to 30 EDLs of any type are supported
    • Maximum of 150,000 total IPs, and 50,000 total domains
  • The domain lists filename on the remote server must be in a regular text format
  • One domain per line
  • If the count exceeds the platform limits, the commit will fail

 

Configuration

 

  • Custom DNS signature block lists can be configured under Objects tab > External Dynamic Lists (formerly Dynamic Block Lists) using a type of Domain list:

edls.png

 

  • Block list actions are configured in Objects tab > Anti-Spyware Profiles. Any configured External Dynamic Lists that are Domain type will appear in the drop-down menu:

anti-spyware-block-list.png

 

  • Note that Palo Alto Networks DNS Signatures appear by default under External Dynamic List Domains with an action of sinkhole
  • The IPv4 sinkhole address defaults to PAN Sinkhole Default, but can be changed as desired

sinkhole.png

 

  • Configuration of External Dynamic Lists can be set from the CLI:
# set shared/<vsys vsys1> external-list <tab>
-list of current added lists
<name>

# set shared/<vsys vsys1> external-list <name>
+ description description
+ url url
+ type type
> recurring recurring
<Enter> Finish input

# set shared/<vsys vsys1> external-list <name> type <tab>
domain Domain List
ip IP List

 

  • Configuration of Anti-Spyware Profiles can be set from the CLI:
# set shared/<vsys vsys1> profiles spyware <profilename> <tab>
+ description description
> botnet-domains botnet-domains
> rules rules
> threat-exception threat-exception
<Enter> Finish input

# set shared/<vsys vsys1> profiles spyware AS1 botnet-domains <tab>
+ packet-capture packet-capture
> list list of domains (new option added)
> sinkhole sinkhole (sinkhole setting common to lists)
> threat-exception threat-exception
<Enter> Finish input

# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <tab>
... completion handler picks up the relevant domain lists ...
<name>


# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <domain list name> <tab>
action

# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <domain list name> action <tab>
alert
allow
block
sinkhole

 

  • External Dynamic Lists can be manually refreshed using the following command:
> request system external-list refresh type domain name custom-dns-block-list

EDL refresh job enqueued

 

  • The request will be queued as a job, and its status can be checked using the 'show jobs' command, or by viewing Tasks in the WebUI
  • Job type is EDLRefresh
  • Failures of download or EDL refresh will be recorded in system logs and ms.log

High Availability

  • The text file, which contains mapping of internal threat-ID to malicious domains, is recreated on HA peers on every commit.
Comments
by bspilde
on ‎05-12-2016 12:04 PM

It would be spectacular if this list could be pulled from a username and password secured website!

by jasonrakers
on ‎05-12-2017 07:22 PM

When using an external domain list, can you use it for an allow policy rule for the specified source domains?  Such as instead of specifying sinkhole, I specify allow and then apply this special security profile to an allow rule in the firewall policy.  I assume not, that it the security profile will only match on the destination for the domains in the list.

Ask Questions Get Answers Join the Live Community
Contributors