I can see a lot of spyware detected by PAN firewall. The threat is like- "Suspicious DNS Query (conficker:xtujyzyo.net)" .
Does anybody knows about this kind of issue?
Generally hosts that generate this log have been infected and you will need to visit the computer and remove the spyware or virus infection. These reports help you identify these hosts.
Its inbuilt PAN mechanism, if anyone/spyware tries to access any malicious site then PAN just blocks DNS query.
Its a preventive measure.
Thank you guys for your response.
@Steven Puluka- PAN is showing only one host, i.e., my Primary DNS server. What I am guessing is my other Secondary DNS servers are infected too. But PAN is not showing other host address.
@HULK- I am sorry, I am new to PAN- From where I can find the installed version of Threat database?
@Harrdik- So thought the system is infected, the DNS query is blocked by PAN? From some search, I found- How to Deal with Conficker using DNS Sinkhole - Is it good idea to implement this ?
Let us know if you need anything related to PAN FW, since you are very new. The threat database version can be visible from:
1. GUI > Dashboard > Genaral Information >Threat Version.
2. GUI > Device > Dynamic Updates > Application and Threats.
3. From CLI > show system info
admin@31-PA-3020> show system info
app-release-date: 2014/07/08 14:43:28
av-release-date: 2014/07/10 08:20:01
threat-version: 445-2292 >>>>>>>>>>>>>>>>>>>>>>>>>> Threat database version
threat-release-date: 2014/07/08 14:43:28
wildfire-release-date: 2014/06/17 14:11:02
global-protect-datafile-release-date: 2014/07/11 21:51:50
Hope this helps.
with bellow document, you can get regular mails for infected hosts, so its a consolidated information. That way you can block all user in one attempt.
Yes, its a good implementation.
Sorry, I wasn't paying close enough attention. With DNS flags like this you do get your DNS server as the source. But this is a false positive because you DNS server is just forwarding the request on behalf of your infected clients. So you need detailed logs from the DNS server to back track the requests to the ultimate host. You will likely need to increase the logging level to find this information.
See a fuller discussion in this previous thread.
This is what the new PanOS 6 DNS Sinkholing feature is designed to help you do. Get logging for the infected computers instead of the DNS server.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!