Wildfire -> DNS Signatures -> PAN-DB

Reply
Highlighted
L4 Transporter

Wildfire -> DNS Signatures -> PAN-DB

Does anyone know the flow that the PANW Firewall goes through to update the DNS Signature data?  Does Wildfire detection feed the DNS Signatures and then PAN-DB categorizes the URL as Malware?

Thanks,

Jeff

L7 Applicator

As per my understanding, you are correct.  If the wildfire is not having a signature of that packet, it will trigger "forward" action to the cloud. And then the signature would be modified in threat database/PAN-DB.

For your reference: How is a New Registered Domain Classified by PAN-DB?

For malware domains, PAN-DB will categorize a URL or IP as malware as long as WildFire has associated it with malicious activity. Regarding the CryptoLocker lists published by the FBI and InfraGard, Palo Alto Networks does subscribe to these lists and will create threat signatures around them, as well as feed the domains and IPs listed into PAN-DB. For those malware families that utilize DGAs, Palo Alto Networks will phase in DNS signatures as those domains go live (typically a few days before), and then disable them as they are taken down. Starting with the most recent InfraGard list, (CryptoLocker, GameOver ZeuS), Palo Alto Networks started adding all domains at once to PAN-DB, and keeps them categorized as malware until otherwise notified.

Hope this helps.

Thanks

Highlighted
L4 Transporter

Thank you very much HULK! This information is very helpful. :smileyhappy:

Highlighted
L4 Transporter

Hello Hulk,

I have some questions regarding the relationship between Wildfire, PAN-DB and the DNS Suspicious Query signatures in the AV database.  Based on your earlier reply, if Wildfire detects Malware from a file that is analyzed in the cloud, it will pass the DNS hosts that's part of the analysis to PAN-DB to be categorized as Malware. Correct???  How about updating the DNS Suspicious Query signatures in the AV database, does it do that?  The reason I ask is because I ran some of the DNS Queries information from my Wildfire Analysis Report of malicious files against my PANW firewalls Suspicious DNS Query entries and they are not listed.  You would think that Palo Alto would add those hosts to the DNS Suspicious Query database.

Any help you can provide would be helpful.

Thanks,

Jeff

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!