PAN-OS 7.1 Custom DNS Signatures Block List

by on ‎02-24-2016 06:32 AM - edited on ‎10-04-2016 07:52 PM by (47,093 Views)

Palo Alto Network customers might receive third-party threat intelligence that includes malicious domains that Palo Alto Networks may not have in its own signatures. A new PAN-OS 7.1 feature, supported on all PAN-OS devices running PAN-OS 7.1 or later, allows customers to create a custom DNS signatures block list.

 

 

Solution:

  • This new feature allows customers to add a custom list of domains to be used with the sinkhole functionality in the Anti-Spyware Profile.
  • This feature is supported on all PAN-OS devices, including M-100, M-500, and Panorama VM, running PAN-OS 7.1 or later.

Feature details:

  • A new custom DNS spyware signature is created for each item in the External Dynamic List (EDL)
    • The signature name for custom DNS sinkhole signatures will be "Suspicious DNS Query (full domain name)“
    • A new signature ID is created for each item in the list automatically with range in a pool
    • Signature type will be spyware, with medium severity
  • Restrictions
    • Up to 30 EDLs of any type are supported
    • Up to 50,000 domains are supported (system-wide)
      • If there are more than 50,000 domains, the first 50,000 are taken and a system log will be generated indicating that capacity has been exceeded
      • No limit on individual lists, but aggregate of all lists cannot exceed 50,000
  • High-End Platform Capacity (PA-5000 and PA-7000)
    • Up to 30 EDLs of any type are supported
    • Maximum of 150,000 total IPs, and 50,000 total domains
  • The domain lists filename on the remote server must be in a regular text format
  • One domain per line
  • If the count exceeds the platform limits, the commit will fail

 

Configuration

 

  • Custom DNS signature block lists can be configured under Objects tab > External Dynamic Lists (formerly Dynamic Block Lists) using a type of Domain list:

edls.png

 

  • Block list actions are configured in Objects tab > Anti-Spyware Profiles. Any configured External Dynamic Lists that are Domain type will appear in the drop-down menu:

anti-spyware-block-list.png

 

  • Note that Palo Alto Networks DNS Signatures appear by default under External Dynamic List Domains with an action of sinkhole
  • The IPv4 sinkhole address defaults to PAN Sinkhole Default, but can be changed as desired

sinkhole.png

 

  • Configuration of External Dynamic Lists can be set from the CLI:
# set shared/<vsys vsys1> external-list <tab>
-list of current added lists
<name>

# set shared/<vsys vsys1> external-list <name>
+ description description
+ url url
+ type type
> recurring recurring
<Enter> Finish input

# set shared/<vsys vsys1> external-list <name> type <tab>
domain Domain List
ip IP List

 

  • Configuration of Anti-Spyware Profiles can be set from the CLI:
# set shared/<vsys vsys1> profiles spyware <profilename> <tab>
+ description description
> botnet-domains botnet-domains
> rules rules
> threat-exception threat-exception
<Enter> Finish input

# set shared/<vsys vsys1> profiles spyware AS1 botnet-domains <tab>
+ packet-capture packet-capture
> list list of domains (new option added)
> sinkhole sinkhole (sinkhole setting common to lists)
> threat-exception threat-exception
<Enter> Finish input

# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <tab>
... completion handler picks up the relevant domain lists ...
<name>


# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <domain list name> <tab>
action

# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <domain list name> action <tab>
alert
allow
block
sinkhole

 

  • External Dynamic Lists can be manually refreshed using the following command:
> request system external-list refresh type domain name custom-dns-block-list

EDL refresh job enqueued

 

  • The request will be queued as a job, and its status can be checked using the 'show jobs' command, or by viewing Tasks in the WebUI
  • Job type is EDLRefresh
  • Failures of download or EDL refresh will be recorded in system logs and ms.log

High Availability

  • The text file, which contains mapping of internal threat-ID to malicious domains, is recreated on HA peers on every commit.
Comments
by bspilde
on ‎05-12-2016 12:04 PM

It would be spectacular if this list could be pulled from a username and password secured website!

by jasonrakers
on ‎05-12-2017 07:22 PM

When using an external domain list, can you use it for an allow policy rule for the specified source domains?  Such as instead of specifying sinkhole, I specify allow and then apply this special security profile to an allow rule in the firewall policy.  I assume not, that it the security profile will only match on the destination for the domains in the list.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors