03-06-2025 01:12 AM
Hello everybody,
How many policy we need for block and review source of infected hosts?
One or two?
Internal dns is using but we can not see source of users.
03-06-2025 06:01 AM
Enable DNS Security in Anti-Spyware profile.
Attach Anti-Spyware to all policies that apply for traffic where you need to identify infected hosts (ideally all).
03-06-2025 06:20 AM
Hi @valizada ,
Only one security policy rule is needed to identify infected hosts. Please see #3 in this document -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0.
For those not familiar with this practice, most outbound DNS requests will come from the company's internal DNS server. To identify the infected hosts, you can create a security policy rule to match traffic to the sinkhole FQDN. The traffic that matches this rule will have the source IP addresses of the hosts that initially requested the suspect domain. The Day 1 Configuration includes an example rule. The BPA also recommends this rule.
Thanks,
Tom
03-06-2025 06:56 AM
For DNS Sinkhole to work it is enough to have it configured only on 1 rule - domain controller to Internet.
But in this case also make sure that all devices actually have domain controller set as DNS server.
Not having Anti-Spyware configured for all outgoing policies you will loose DNS Security protection for devices that connect to Internet hosted DNS servers.
Best would be to also use DNS Proxy to make sure infected internal device is not trying to bypass URL categorization by having hardcoded IPs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
