This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Suspicious DNS Query Action

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Suspicious DNS Query Action

HartkentlyNua
L2 Linker

‎05-22-2014 12:33 AM

Hello PAN Community,

I would just like to know if its possible to edit or change the default action for a specific suspicious DNS query?

We have a situation here where what we wanted to happen is to drop all the packets for suspicious DNS query instead of resetting both connection.

Thank you in advance.

Regards,

Hartkently

0 Likes Likes
7 REPLIES 7

nchong
L2 Linker

‎05-22-2014 03:33 AM

Hi Hartkently,

In the vulnerability profile that you are using, you can click on the exception tab and search for the Threat that you want to change the action. On the action column you will then be able to change the action from "default (reset-both)" to "drop"

Regards,

Narong

HartkentlyNua
L2 Linker
In response to nchong

‎05-22-2014 06:20 AM

Hello Narong,

Thank you for that information, I certainly can change the default action there. however, the threats that we are looking for isn't there. please see the image below,

1.png

these are the kind of threats that we want change the action.

Thank  you.

Regards,

Hartkently

0 Likes Likes

HULK
L7 Applicator
In response to HartkentlyNua

‎05-22-2014 09:25 AM

Hello Hartkently,

Do you have the "threat-ID" for those you want to change the default action...?

FYI:

spyware.JPG

Thanks

0 Likes Likes

HartkentlyNua
L2 Linker

‎05-22-2014 07:02 PM

Hello Hulk,

below is the traffic info of the threat that we want to change the action.

2.JPG

if i'm not mistaken, the ID on the threat details is the threat ID. I tried looking for it on the vulnerability protection and anti-spyware, but the only place i found it was in the DNS signatures and there no change or edit action there.

thank you.

regards,

hartkently

0 Likes Likes

HULK
L7 Applicator
In response to HartkentlyNua

‎05-22-2014 07:22 PM

Hello Hartkently.

Yes you are correct, In case of spyware signature, the ID will be re-used by PAN firewall and you will not be able to change the default action.

spyware-1.JPG

Thanks

0 Likes Likes

HartkentlyNua
L2 Linker
In response to HULK

‎05-22-2014 08:31 PM 

HULK wrote:




Hello Hartkently.




Yes you are correct, In case of spyware signature, the ID will be re-used by PAN firewall and you will not be able to change the default action.




spyware-1.JPG




Thanks

Hello Hulk,

Thank you for that information. So there is now way we can change the default action for DNS signatures.

Regarding your last post, We would like to verify the purpose of Threat ID exceptions, what will happen to a specific threat if we include it on the exceptions?

Thank you very much.

Regards,

Hartkently

0 Likes Likes

HULK
L7 Applicator
In response to HartkentlyNua

‎05-22-2014 08:40 PM

Hello Hartkently,

If you add an exception for a Threat ID, the traffic will be bypassed through the PAN firewall and signature will not trigger.

Thanks

  • 4058 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks