02-20-2026 12:45 AM
Attention: JAPAC TPM Team
Hello Team,
I have a question about the Anti-Spyware profile behavior in a Prisma Access (Explicit Proxy) environment.
Scenario
- Clients use Explicit Proxy to reach Prisma Access for web traffic.
- DNS resolution does not traverse Prisma Access (it is resolved by a local resolver / another path).
- An Anti-Spyware profile is attached to the relevant security policy.
- SSL decryption: enabled/disabled (please advise if this matters in this scenario).
Questions
1. When client DNS queries do not traverse Prisma Access, is it correct that Anti-Spyware detections would rely on payload-based signatures (and not DNS signatures / sinkhole)?
2. In such a case, should detections appear in the Threat log with subtype: spyware? Is there any difference in the logging behavior compared to DNS signature/sinkhole events?
3. I couldn’t find an official knowledge base article that specifically tests this scenario. Is there a recommended test methodology to validate Anti-Spyware behavior with Explicit Proxy when DNS is out‑of‑path?
Constraints
I currently don’t have access to a live traffic test environment, so any guidance, example steps, or references would be greatly appreciated.
Thank you in advance for your assistance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
