Exception for DNS signature which is showing the ID as 0 and FQDN as unknow

Reply
Highlighted
L2 Linker

Exception for DNS signature which is showing the ID as 0 and FQDN as unknow

Getting false positive for the Link tivoli.com.qa as threat name(68360795).Its getting DNS sinkholing.Can anyone help to know how we  give the exception only for the threat ID 68360795 and the Fqdn is tivoli.com.qa. Attached screenshots below

 

DNS-Sinkholing-tivoli.pngAntispyware Policy-tivoli.png


Accepted Solutions
Highlighted

Did you check the threat vault connectivity from PA devices.

Test connectivity to the Threat Vault using:
> test threat-vault connection 

 

or you can check it from System logs.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0BCAW

 

NpN

View solution in original post


All Replies
Highlighted
L2 Linker

The firewall which am using shows an the signature's name as unknown signature and FQDN as showing as unknown-fqdn

Highlighted
L4 Transporter

Hello @CyberEye 

 

This seems to be a signature due to DNS security. Can you post the detailed threat logs so I can confirm?

Also, this signature is been replaced that means it is not included in the current release, you should not have any issue with this signature.

 

Best

Himani

Himani Singh
Highlighted
L2 Linker

Hi @hisingh 

 

Yes the signature due to DNS security.The firewall which am using all the signatures are currently showing as unknown signature and Unknown fqdn. Attached screenshot belowDNS_Sig.png

Same i checked another firewall which is having same AV nd APT versions. Am also trying to give an exception for 68360795 but which also showing as unknown in my FW.

L4 Transporter

Hello,

 

Please share the detailed threat logs,  you have shared the spyware security profile -> threat exception. I am looking for monitor->threat logs-> detailed view.

Also, this signature is replaced so you will have no issue within it.

Finally, please check this: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPdBCAW&lang=en_US%E2%80%A...

 

Best

Himani

Himani Singh
Highlighted
L2 Linker

Hi @hisingh ,

 

Thanks for your reply.Please find the detailed threat log for ID 68360795Detailed THreat Logsss.png

as  mentioned before most 68360795 is unknow in my firewall also most of the signatures are unknown. I checked in another firewall which is having same content versionContent Version.JPG and i can see the 68360795 is

DNS-Sinkholing-From another firewall.jpg

visible.But same in my firewall showing as unknown.If you can check the previous screenshots related to exception you can see the ID eg: 327772845 which is also showing as unknown.For confirming please check this ID in your FW

Tags (2)
Highlighted

Did you check the threat vault connectivity from PA devices.

Test connectivity to the Threat Vault using:
> test threat-vault connection 

 

or you can check it from System logs.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0BCAW

 

NpN

View solution in original post

Highlighted
L2 Linker

Hi Nijith,

 

Thanks for your commments. Now its working after changing the DNS to public.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!