This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Blocking Scammer website (cryptocurrency)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking Scammer website (cryptocurrency)

Go to solution
Remko
L1 Bithead

‎09-20-2023 05:06 AM

I stumbled accros this article on Bleeping Computers

https://www.bleepingcomputer.com/news/security/tiktok-flooded-by-elon-musk-cryptocurrency-giveaway-s...

To my surprise the URL's mentioned in the article where considered safe. 

Palo Alto had these categorized as for example

  • Stock-Advice-and-Tools
  • Low-Risk
  • Newly-Registered-Domain

So I figured I would block the newly-registered-domain as these are often used by scammers or malicious users. They pop-up and disappear very frequently. 

Unfortunately that did not work. According to my logging the URL's are "not-resolved" and the domains itself appear to have a very short TTL (5 minutes) 

The only thing I could think of is to add these domains to my manual block list. 

 

So my question is basically, what can I do to block these sites in a pro-active way? 
These scammers appear to be pretty smart circumventing our safety systems. 

 

Any thoughts are more than welcome.

 

Remko

 

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎09-20-2023 06:29 AM

Hi @Remko ,

 

Exactly!  What does "show url-cloud status" show?  https://docs.paloaltonetworks.com/advanced-url-filtering/administration/troubleshooting/pan-db-cloud...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

0 Likes Likes
7 REPLIES 7

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎09-20-2023 05:35 AM

Hi @Remko ,

 

It is interesting that your logs say "not-resolved", which means the NGFW was unable to connect to the cloud.  See row 37 in the following URL.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC

 

With normal cloud connectivity, you should be able to block the Unknown category (row 65) and URLs that have not been categorized should be blocked.

 

There is always a balance between security and availability, and there is the potential that blocking Unknown may negatively impact sanctioned browsing.  The table says that blocking Not-Resolved could be very disruptive.  We don't want all web sites blocked that are not cached when the NGFW loses connectivity to the cloud.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Go to solution
Remko
L1 Bithead
In response to TomYoung

‎09-20-2023 06:17 AM

Hi @TomYoung ,

 

Interesting finding. Very helpful !
I have never given this much thought as most websites are classified according to what is expected. 

As it appears our Palo Alto is missing the last step described at #37

 

Indicates that the website was not found in the local URL filtering database and the firewall was unable to connect to the cloud database to check the category. When a URL category lookup is performed, the firewall first checks the dataplane cache for the URL, if no match is found, it will then check the management plane cache, and if no match is found there, it queries the URL database in the cloud. When deciding on what action to take for traffic that is categorized as not-resolved, be aware that setting the action to block may be very disruptive to users.

So the question that comes to mind is why it doesn't do the last step. Should this just work out-of-the-box or is it a setting that might be overlooked? Our device is able to do DNS queries just fine. I need to dig deeper to see if this is the case.

 

Remko

0 Likes Likes

Go to solution
Remko
L1 Bithead

‎09-20-2023 06:28 AM

From what I understand is that the URL check works without configuration
https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/how-url...

When I query the URL filtering site on PaloAltoNetworks it is classified as 

Remko_0-1695216188112.png

And the firewall gives the following

Remko_1-1695216336628.png

 

I am puzzled 🙂

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎09-20-2023 06:29 AM

Hi @Remko ,

 

Exactly!  What does "show url-cloud status" show?  https://docs.paloaltonetworks.com/advanced-url-filtering/administration/troubleshooting/pan-db-cloud...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Remko
L1 Bithead
In response to TomYoung

‎09-20-2023 06:56 AM

You might be onto something. 

It shows "nothing" 

Remko_0-1695217691373.png

 

Currently troubleshooting the ruleset. Unfortunately I need to leave from work and I will continue my efforts tomorrow. 
I appreciate the time and effort ! 

Remko

 

 

Go to solution
Remko
L1 Bithead
In response to Remko

‎09-21-2023 03:03 AM

We noticed that it was some time ago that we had updated our Palo Alto. 
So this morning we updated both appliances and Voila. 

The cloud connection started working again. 

Remko_0-1695290533187.png

I still need to check the monitoring log but I believe we made some excellent progress. 

Thanks again ! 

 

0 Likes Likes

Go to solution
Remko
L1 Bithead
In response to Remko

‎09-21-2023 03:52 AM - edited ‎09-21-2023 06:12 AM

As expected the domain is now correctly recognized and clasified. 

Remko_0-1695293497128.png

 

Case closed. 

  • 1 accepted solution
  • 6555 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks