A Snapshot into URL-Filtering, Credential Theft, and DNS Sinkhole Updates

cancel
Showing results for 
Search instead for 
Did you mean: 
L2 Linker

In February, we made some adjustments to the calculation methods used to measure the adoption rates for the URL-Filtering, Credential Theft, and DNS Sinkhole capabilities. Since then, we have been fine-tuning the calculation methods and patching any bugs that occur. Over the course of the past few months, you may have seen your adoption rates vary. Let's go over what the changes mean from the perspectives of security, policy, and how you can adjust your policies to improve your adoption rates—even if you already passed the Best Practice Check for each of these three capabilities.

 

If you've seen your adoption numbers change recently, the current number is the most accurate number. First, let’s go over the definitions for each of these capabilities. To see the full list of adoption definitions within the Best Practice Assessment, navigate to Adoption Heatmap > Summary > Adoption Definitions.

 

URL-Filtering Adoption Percent

This is the percentage of enabled allow rules using a valid URL-Filtering profile, using known ports 80, 443, 8080, 8443, 9443, 10443 and Apps that are ssl/web-browsing or depend on them.

 

Credential Theft Adoption Percent

This is the percentage of enabled rules using a valid URL-Filtering profile configured for Credential Theft, using known ports 80, 443, 8080, 8443, 9443, 10443, and apps that are ssl/web browsing or depend on them. 

 

DNS Sinkhole Adoption Percent

This is evaluated based on the percentage of enabled rules using an Anti-Spyware profile containing an action of ‘sinkhole’, apps related to and depends on DNS protocol/application, and service/ports on 53 or 5353.

 

In order to demonstrate how adoption percentages can be improved, we are going to take a look at a DNS Sinkhole example. 


For the DNS Sinkhole Best Practice Check to Pass, ‘DNS Sinkhole’ AND ‘Packet Capture’ are enabled in the selected Anti-Spyware Profile. You can find this under Objects > Security Profiles > Anti Spyware. To learn more, watch this short video here.

 

almargaris_0-1624551838470.png

 

Now what happens if you pass the Best Practice Check, but are still not satisfied with your adoption percentage? It should be noted that whenever trying to “increase adoption” beyond passing the Best Practice Check, it is directly related to policy configuration. 

 

To continue based on the DNS Sinkhole adoption example, we will explore how to improve the adoption percentage in steps. Remember that not all of the following are needed to pass the Best Practice Check, but to increase adoption.

 

1) Within the Objects > Services tab, make sure that the service you are using has ports 53 and/or 5353 enabled. Ensure that your service is attached to the desired policy as well.

- ALLOWED_PORTS = {53, 5353}

 

almargaris_1-1624551884575.png

 

2) Within the Policies > Security section choose a policy and ensure that  Applications are set to the following:

- ALLOWED_APPLICATIONS = {"any", "ssl", "web-browsing"}

- DNS_CONFIGS = {"dns", "dns-over-https", "dns-over-tls"}

 

almargaris_2-1624551906490.png

 

Be sure to read the PAN-OS Administrator’s Guide for DNS Sinkholing if you want to take a deep dive into learning about managing your configurations.

Register or Sign-in