I need assistance configuring/verifying if DNS Sinkholing is correct on my PA3020 running PAN-OS 7.1.18.
Solved! Go to Solution.
Okay so outside of a few customizations it looks like you already have it configured and the IP of the default Palo Alto sinkhole IP is just failing to load. At the bottom of that query is a link to a verification document on how you would verify things are properly sinholing, but you should effectively be getting the response of 126.96.36.199 if you attempt to lookup a host that matches one of the DNS Signatures that are published.
So I followed step 4 of the query and created the security rule with the Palo Alto Default sinkhole address (188.8.131.52) as the destination and moved it to the top. If I look at threat logs I still see my internal DNS servers IP addresses if I filter by app eq sinkhole.
There really isn't a way to verify the object easily on the firewall, you have to get involved with the XML files that actually make up the device and peek around in the tech support file. If you look at the traffic logs for the sinkhole IP do you see any activity, and have you verified that you've setup logging on the rule you created to deny the traffic?
I wouldn't filter on the sinkhole app-id, that's kind of a bad test.
I'm seeing sinkhole IP activity on two of my current PA security rules now that I've confirmed logging is enabled on both session start and end. The Block-Sinkhole security rule I've implemented to drop indicates one source address currently hitting the sinkhole IP.
I've refreshed the monitor and now it appears my sinkhole rule is dropping any source IP to the destination sinkhole IP. Thanks for all your help. Have a great holiday!
One other question is as to what I should be looking into as far as the threat log and the sinkhole type action. I'm still seeing that traffic to a few of my on premise domain controllers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!