This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Zone Heat Map Showing 0% DNS Sinkhole Adoption Between Two Zones

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Zone Heat Map Showing 0% DNS Sinkhole Adoption Between Two Zones

fhewiufhwefhwe
L4 Transporter

‎08-27-2021 04:08 PM

Every single security policy is using the same anti-virus and anti-spyware profile, but the zone heat map is showing 0% DNS Sinkhole adoption for some rules.

 

There are three Source/Destination Zone pairs where it is showing 0% URL Filtering (because I have rules from specific ipaddresses to specific known FQDNs that should not be blocked by url filtering).  Rather than create separate Url Filtering policy for each rule, I am choosing a url filtering profile that only blocked malicious/phishing/etc. sites.

 

Any way to resolve?  This seems like a false positive particularly for DNS sinkhole adoption rate.

0 Likes Likes
4 REPLIES 4

LAYER_8
L5 Sessionator

‎09-07-2021 09:58 AM

Two possible issues here. Please make sure you have in your rule hierarchy towards the top a rule of application going to the predefined Sinkhole IPv4 and IPv6 address object set to allow with logs or block depending on your security posture (as noted, best practice is block).

 

Screen Shot 2021-09-07 at 11.48.06 AM.png

 

Second, inside your Antispyware profile and DNS signatures, all those should be set to sinkhole as these are known or determined bad DNS requests. 

 

Screen Shot 2021-09-07 at 11.48.26 AM.png

 

Help the community! Add tags & mark solutions please.
0 Likes Likes

fhewiufhwefhwe
L4 Transporter
In response to LAYER_8

‎09-08-2021 07:03 AM

I have Sinkhole as the 3rd rule.  I will try making destination zone any from untrust.  I manually listed every zone for source zone, because it caused a false positive on zone protection adoption rate if you use any on any security policy rule.

 

Anti-spyware already is using sinkole and single-packet capture or extended-capture for listed options on DNS security

 

fhewiufhwefhwe_0-1631109557398.png

 

 

 

 

0 Likes Likes

fhewiufhwefhwe
L4 Transporter
In response to fhewiufhwefhwe

‎09-08-2021 08:05 AM

Still having the same issue.  If I go to Adoption Heatmap -> Tags, it's blocklists and denies that show up with 0% DNS Sinkhole adoption.  There are some other policies with 57-86% adoption rate, and every single policy has the same anti-spyware policy.

fhewiufhwefhwe_2-1631113440238.png

 

fhewiufhwefhwe_1-1631113410258.png

 

0 Likes Likes

LAYER_8
L5 Sessionator

‎09-08-2021 11:56 AM

That's interesting. I wonder if there's some logic in there that since the traffic is explicitly denied, it can't actually be scanned by AV/AS/VP so it will show as not best practice. I can't say I've seen that error before, super strange. 

Help the community! Add tags & mark solutions please.
0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks