Suspicious DNS Query Action

Reply
L2 Linker

Suspicious DNS Query Action

Hello PAN Community,

I would just like to know if its possible to edit or change the default action for a specific suspicious DNS query?

We have a situation here where what we wanted to happen is to drop all the packets for suspicious DNS query instead of resetting both connection.

Thank you in advance.

Regards,

Hartkently

Highlighted
L2 Linker

Re: Suspicious DNS Query Action

Hi Hartkently,

In the vulnerability profile that you are using, you can click on the exception tab and search for the Threat that you want to change the action. On the action column you will then be able to change the action from "default (reset-both)" to "drop"

Regards,

Narong

L2 Linker

Re: Suspicious DNS Query Action

Hello Narong,

Thank you for that information, I certainly can change the default action there. however, the threats that we are looking for isn't there. please see the image below,

1.png

these are the kind of threats that we want change the action.

Thank  you.

Regards,

Hartkently

L7 Applicator

Re: Suspicious DNS Query Action

Hello Hartkently,

Do you have the "threat-ID" for those you want to change the default action...?

FYI:

spyware.JPG

Thanks

L2 Linker

Re: Suspicious DNS Query Action

Hello Hulk,

below is the traffic info of the threat that we want to change the action.

2.JPG

if i'm not mistaken, the ID on the threat details is the threat ID. I tried looking for it on the vulnerability protection and anti-spyware, but the only place i found it was in the DNS signatures and there no change or edit action there.

thank you.

regards,

hartkently

L7 Applicator

Re: Suspicious DNS Query Action

Hello Hartkently.

Yes you are correct, In case of spyware signature, the ID will be re-used by PAN firewall and you will not be able to change the default action.

spyware-1.JPG

Thanks

L2 Linker

Re: Suspicious DNS Query Action

HULK wrote:

Hello Hartkently.

Yes you are correct, In case of spyware signature, the ID will be re-used by PAN firewall and you will not be able to change the default action.

spyware-1.JPG

Thanks

Hello Hulk,

Thank you for that information. So there is now way we can change the default action for DNS signatures.

Regarding your last post, We would like to verify the purpose of Threat ID exceptions, what will happen to a specific threat if we include it on the exceptions?

Thank you very much.

Regards,

Hartkently

L7 Applicator

Re: Suspicious DNS Query Action

Hello Hartkently,

If you add an exception for a Threat ID, the traffic will be bypassed through the PAN firewall and signature will not trigger.

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!