I've got a question about BotNet reports available on Palo Alto firewalls. Maybe someone has an experience on how accurate they are, what logic they are using and how to better tune them to display more precise information?
At this point I have all default settings configured. But I have noticed that some of the web sites categorized by Palo Alto as malicious or malware are just web-ad banners and are not so critical. If web-ads are blocked by our firewall policy will it result on BotNet report behavior?
Thank you in advance.
The web banner agencies are a vector of attack that malicious actors are using now. They purchase ads from these legitimate vendors and get malicious links sent out via these ad services. The specific services will come on and off the list as actual malicious links are detected and removed the same way that a compromised legitimate web site gets onto the list.
The botnet report is letting you know activity to sites that are on the malicious link list. They may or may not be actually compromised it requires follow up.
Thank you very much for your response, Steven!
I think it also answers the question regarding report configuration tuning, it all depends on after how many visits I want entry to be added to report.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!