As part of the PAN-OS 10.0 release, Palo Alto Networks will be adding a new DNS Security category for Proxy Avoidance and Anonymizers.
ACTION: Action may be required. Please consider impact in alignment with organization policies.
What is Proxy Avoidance and Anonymizers?
Palo Alto Networks defines the Proxy Avoidance and Anonymizers category as services that are used to bypass content filtering policies.
Users can connect to a proxy service and access websites that may otherwise be blocked by security controls. Proxy services (eg. Psiphon, x-vpn) can spoof SNI information in a SSL/TLS handshake to bypass content filtering policies. Blocking the requests at a DNS level will prevent users from accessing such services.
When will the Proxy Avoidance and Anonymizers Category be available in DNS Security?
This category will be available as part of a content-update in the PAN-OS 10.0 release. The content update will be available the week of November 2nd. The default action will be set to 'Block' under the anti-spyware profile. On 9.0 and 9.1 releases, Proxy Avoidance and Anonymizers category support is not available and DNS requests to this category will be allowed. For categories supported in those PAN-OS releases, please refer the following documentation on DNS Security.
When will the new category be effective?
The category will go live the week of November 23, 2020. Administrators can choose policy actions associated with this category - including Block, Allow or Sinkhole. Palo Alto Networks best practices recommendation is to Sinkhole.