04-01-2015 02:24 AM
Hi!
I've got a question about BotNet reports available on Palo Alto firewalls. Maybe someone has an experience on how accurate they are, what logic they are using and how to better tune them to display more precise information?
At this point I have all default settings configured. But I have noticed that some of the web sites categorized by Palo Alto as malicious or malware are just web-ad banners and are not so critical. If web-ads are blocked by our firewall policy will it result on BotNet report behavior?
Thank you in advance.
Best regards,
Andrejs Cvetkovs
04-01-2015 03:10 AM
The web banner agencies are a vector of attack that malicious actors are using now. They purchase ads from these legitimate vendors and get malicious links sent out via these ad services. The specific services will come on and off the list as actual malicious links are detected and removed the same way that a compromised legitimate web site gets onto the list.
The botnet report is letting you know activity to sites that are on the malicious link list. They may or may not be actually compromised it requires follow up.
04-01-2015 05:37 AM
Thank you very much for your response, Steven!
I think it also answers the question regarding report configuration tuning, it all depends on after how many visits I want entry to be added to report.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
