DNS Security and Untrust to Untrust Alerts

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

DNS Security and Untrust to Untrust Alerts

L1 Bithead

We are currently doing a trial of the DNS Security license on our firewalls.  After enabling I am seeing a decent amount of alerts coming into XDR for DNS Tunneling. However when looking at the alerts they are all coming in from the Intrazone Untrust rule.  


Can we put an exclusion on these alerts or do we have a potential issue that we need to address, and if so how?  






L0 Member

So I have been running Palo Alto just shy of a year now, and as I look at my logging it occurs to me that aside from testing against EICARS I have never seen Wildfire or AV trigger "in the wild".

My organization has full endpoint protection and the firewall has enough policies including SSL decryption that it should be protecting my users from ending up at places where they would get bad things. In addition we have a reasonably solid cyber security training program in place.

Still I find it somewhat unbelievable this thing has never triggered. In fact not even an AV alert either. Plenty of traffic based alerts and actions though coming from the untrust zone.... but no AV alerts, no Wildfire uploads...

Whats your experience?


If you don't have wildfire uploads sounds like it might not be configured.  What are the settings on your wildfire analysis profile and is that applied to your rules?

L2 Linker

Alerts triggered by DNS security are part of the actions defined in your anti-spyware profile, hence following a logic that those are typically triggered by traffic coming from the intrazone (trust) to Untrust. I'd recommend investigating those alerts with TAC (open a case) before adding an exception. That could be the case of a False Positive in which case the signature triggered is modified or removed and you don't need to do anything in XDR; or could be the case of a true detection in which case the system is protecting you by blocking the access to a potentially malicious domain. In your screenshot, I can see those packets are being sinkholed so unless you are getting complaints that benign traffic is being dropped I'd consider a further investigation and discard infected hosts.  

I agree with @JasonPeterson. Antivirus and Wildfire detection capabilities are focused on file analysis. So it could be that the current configuration might not be analyzing every file type supported or the firewall is not uploading samples for Wildfire analysis. If I don't see Wildfire uploads I'd have a case opened. You can also test by enabling the reports of benign samples (Device-->Wildfire-->General Settings-->Report Bening Files)  in which case you'd confirm that all files are analyzed.

@JasonPeterson wrote:

If you don't have wildfire uploads sounds like it might not be configured.  What are the settings on your wildfire analysis profile and is that applied to your rules?

Exactly, I also agreed with @JasonPeterson thanks for response.

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!