- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
As part of the PAN-OS 10.0 release, Palo Alto Networks will be adding a new DNS Security category for Proxy Avoidance and Anonymizers.
ACTION: Action may be required. Please consider impact in alignment with organization policies.
Palo Alto Networks defines the Proxy Avoidance and Anonymizers category as services that are used to bypass content filtering policies.
Users can connect to a proxy service and access websites that may otherwise be blocked by security controls. Proxy services (eg. Psiphon, x-vpn) can spoof SNI information in a SSL/TLS handshake to bypass content filtering policies. Blocking the requests at a DNS level will prevent users from accessing such services.
This category will be available as part of a content-update in the PAN-OS 10.0 release. The content update will be available the week of November 2nd. The default action will be set to 'Block' under the anti-spyware profile. On 9.0 and 9.1 releases, Proxy Avoidance and Anonymizers category support is not available and DNS requests to this category will be allowed. For categories supported in those PAN-OS releases, please refer the following documentation on DNS Security.
The category will go live the week of November 23, 2020. Administrators can choose policy actions associated with this category - including Block, Allow or Sinkhole. Palo Alto Networks best practices recommendation is to Sinkhole.
Yes.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
2 Likes | |
1 Like | |
1 Like |