11-21-2019 09:31 AM
We have PA-820's and I have been looking for a way to leverage them to block punycode attacks. In fact, we'd be pretty OK with blocking punycode URLs altogether. I just haven't been able to puzzle out a way to do it. If I add xn--* to the URL filter block list, it complains that I have multiple wildcards. If it add just xn-- the firewall accepts it, but it just doesn't work, nothing is blocked. It was the same result when I tried to create a custom URL category. Is this something that can even be done at the firewall level, or should I look to address this on the DNS side?
11-21-2019 12:44 PM
Hello,
I am going to assume this is for outbound traffic. If yes then there are several things to do in conjunction.
In your Vulnerability profile, enable DNSSink hole.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0
Next I would block by web category, blocking the obvious bad stuff.
abused-drugs, adult, alcohol-tobacco, command and control, copyright-infingment, crypto-currency, dynamic-dns, hacking, high-risk, insufficient-content, malware, medium-risk, newly-registered-domin, not-resolved, parked, phishing, private-ip-address, proxy avoidance and anonymizers, questionable, shareware and freeware, unknown, web-advertisements
Externally have only your DNS servers be able to go our and get external DNS requests. Also use a secure service such as OpenDNS, cloudflare, Quad9, etc. And block the end users from exiting your environment over DNS externally.
Setup external dynamic lists, along with the PAN builtin ones, i have the following setup.
Source on PAN support:
https://live.paloaltonetworks.com/message/54183#54183
Sans notes on this:
Others listed on this site:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://malc0de.com/bl/IP_Blacklist.txt
http://panwdbl.appspot.com/lists/openbl.txt
http://cinsscore.com/list/ci-badguys.txt
Make sure you are performing SSL decrypt to ensure you are seeing the traffic.
This should get you started and not having to use a wildcard to block everything.
Regards,
11-21-2019 12:44 PM
Hello,
I am going to assume this is for outbound traffic. If yes then there are several things to do in conjunction.
In your Vulnerability profile, enable DNSSink hole.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0
Next I would block by web category, blocking the obvious bad stuff.
abused-drugs, adult, alcohol-tobacco, command and control, copyright-infingment, crypto-currency, dynamic-dns, hacking, high-risk, insufficient-content, malware, medium-risk, newly-registered-domin, not-resolved, parked, phishing, private-ip-address, proxy avoidance and anonymizers, questionable, shareware and freeware, unknown, web-advertisements
Externally have only your DNS servers be able to go our and get external DNS requests. Also use a secure service such as OpenDNS, cloudflare, Quad9, etc. And block the end users from exiting your environment over DNS externally.
Setup external dynamic lists, along with the PAN builtin ones, i have the following setup.
Source on PAN support:
https://live.paloaltonetworks.com/message/54183#54183
Sans notes on this:
Others listed on this site:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://malc0de.com/bl/IP_Blacklist.txt
http://panwdbl.appspot.com/lists/openbl.txt
http://cinsscore.com/list/ci-badguys.txt
Make sure you are performing SSL decrypt to ensure you are seeing the traffic.
This should get you started and not having to use a wildcard to block everything.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
