This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Exception for DNS signature which is showing the ID as 0 and FQDN as unknow

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Exception for DNS signature which is showing the ID as 0 and FQDN as unknow

Go to solution
CyberEye
L3 Networker

‎07-12-2020 08:18 AM

Getting false positive for the Link tivoli.com.qa as threat name(68360795).Its getting DNS sinkholing.Can anyone help to know how we  give the exception only for the threat ID 68360795 and the Fqdn is tivoli.com.qa. Attached screenshots below

 

DNS-Sinkholing-tivoli.pngAntispyware Policy-tivoli.png

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
NijithPN
L1 Bithead
In response to CyberEye

‎07-14-2020 12:39 PM

Did you check the threat vault connectivity from PA devices.

Test connectivity to the Threat Vault using:
> test threat-vault connection 

 

or you can check it from System logs.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0BCAW

 

NpN

View solution in original post

(1)
7 REPLIES 7

Go to solution
CyberEye
L3 Networker

‎07-13-2020 05:52 AM

The firewall which am using shows an the signature's name as unknown signature and FQDN as showing as unknown-fqdn

0 Likes Likes

Go to solution
hisingh
L4 Transporter
In response to CyberEye

‎07-13-2020 08:38 AM

Hello @CyberEye 

 

This seems to be a signature due to DNS security. Can you post the detailed threat logs so I can confirm?

Also, this signature is been replaced that means it is not included in the current release, you should not have any issue with this signature.

 

Best

Himani

Himani Singh
0 Likes Likes

Go to solution
CyberEye
L3 Networker
In response to hisingh

‎07-13-2020 09:42 AM - edited ‎07-13-2020 09:43 AM

Hi @hisingh 

 

Yes the signature due to DNS security.The firewall which am using all the signatures are currently showing as unknown signature and Unknown fqdn. Attached screenshot belowDNS_Sig.png

Same i checked another firewall which is having same AV nd APT versions. Am also trying to give an exception for 68360795 but which also showing as unknown in my FW.

0 Likes Likes

Go to solution
hisingh
L4 Transporter
In response to CyberEye

‎07-13-2020 10:21 AM

Hello,

 

Please share the detailed threat logs,  you have shared the spyware security profile -> threat exception. I am looking for monitor->threat logs-> detailed view.

Also, this signature is replaced so you will have no issue within it.

Finally, please check this: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPdBCAW&lang=en_US%E2%80%A...

 

Best

Himani

Himani Singh
0 Likes Likes

Go to solution
CyberEye
L3 Networker
In response to hisingh

‎07-13-2020 11:14 AM

Hi @hisingh ,

 

Thanks for your reply.Please find the detailed threat log for ID 68360795Detailed THreat Logsss.png

as  mentioned before most 68360795 is unknow in my firewall also most of the signatures are unknown. I checked in another firewall which is having same content versionContent Version.JPG and i can see the 68360795 is

DNS-Sinkholing-From another firewall.jpg

visible.But same in my firewall showing as unknown.If you can check the previous screenshots related to exception you can see the ID eg: 327772845 which is also showing as unknown.For confirming please check this ID in your FW

0 Likes Likes

Go to solution
NijithPN
L1 Bithead
In response to CyberEye

‎07-14-2020 12:39 PM

Did you check the threat vault connectivity from PA devices.

Test connectivity to the Threat Vault using:
> test threat-vault connection 

 

or you can check it from System logs.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM0BCAW

 

NpN
(1)

Go to solution
CyberEye
L3 Networker
In response to CyberEye

‎07-14-2020 12:56 PM

Hi Nijith,

 

Thanks for your commments. Now its working after changing the DNS to public.

0 Likes Likes
  • 1 accepted solution
  • 9458 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks