Given that adding an exception to 109001001 would disable the signature altogether if you want to add temporary exceptions you can actually do that per-firewall using CLI commands: Check the status of the domain verdict by the following command > show dns-proxy dns-signature cache | match abc.com *.abc.com C2 109000001 86327 0 Change the status of the domain verdict to benign by the following command. Please note that you are adding this domain as a whitelist on your PaloAlto Firewall on the management plane. This entry will only be effective on your Firewall locally. > debug dnsproxyd dns-signature response verdict <new verdict you want> fqdn <FQDN> ttl <Time to live> gtid <preferably higher number> Example for abc.com > debug dnsproxyd dns-signature response verdict Whitelist gtid 420000700 ttl 30758400 fqdn abc.com You can confirm the domain is been changed to benign. The last number zero indicates the number of hit to this domain. > show dns-proxy dns-signature cache | match abc *.abc.com White list 420000700 30758373 0 You can also confirm from data plane > debug dataplane show dns-cache print | match abc abc.com, wildcard: yes, ttl: 0/331353/0, temp: 0, verdict benign, utid: 420000700 Remove entry from the dns-proxy dns-signature cache > clear dns-proxy dns-signature cache fqdn abc.com
... View more
