Palo Alto Network customers might receive third-party threat intelligence that includes malicious domains that Palo Alto Networks may not have in its own signatures. A new PAN-OS 7.1 feature, supported on all PAN-OS devices running PAN-OS 7.1 or later, allows customers to create a custom DNS signatures block list.
Solution:
This new feature allows customers to add a custom list of domains to be used with the sinkhole functionality in the Anti-Spyware Profile.
This feature is supported on all PAN-OS devices, including M-100, M-500, and Panorama VM, running PAN-OS 7.1 or later.
Feature details:
A new custom DNS spyware signature is created for each item in the External Dynamic List (EDL)
The signature name for custom DNS sinkhole signatures will be "Suspicious DNS Query (full domain name)“
A new signature ID is created for each item in the list automatically with range in a pool
Signature type will be spyware, with medium severity
Restrictions
Up to 30 EDLs of any type are supported
Up to 50,000 domains are supported (system-wide)
If there are more than 50,000 domains, the first 50,000 are taken and a system log will be generated indicating that capacity has been exceeded
No limit on individual lists, but aggregate of all lists cannot exceed 50,000
High-End Platform Capacity (PA-5000 and PA-7000)
Up to 30 EDLs of any type are supported
Maximum of 150,000 total IPs, and 50,000 total domains
The domain lists filename on the remote server must be in a regular text format
One domain per line
If the count exceeds the platform limits, the commit will fail
Configuration
Custom DNS signature block lists can be configured under Objects tab > External Dynamic Lists (formerly Dynamic Block Lists) using a type of Domain list:
Block list actions are configured in Objects tab > Anti-Spyware Profiles. Any configured External Dynamic Lists that are Domain type will appear in the drop-down menu:
Note that Palo Alto Networks DNS Signatures appear by default under External Dynamic List Domains with an action of sinkhole
The IPv4 sinkhole address defaults to PAN Sinkhole Default, but can be changed as desired
Configuration of External Dynamic Lists can be set from the CLI:
# set shared/<vsys vsys1> external-list <tab> -list of current added lists <name>
# set shared/<vsys vsys1> external-list <name> + description description + url url + type type > recurring recurring <Enter> Finish input
# set shared/<vsys vsys1> external-list <name> type <tab> domain Domain List ip IP List
Configuration of Anti-Spyware Profiles can be set from the CLI:
# set shared/<vsys vsys1> profiles spyware AS1 botnet-domains <tab> + packet-capture packet-capture > list list of domains (new option added) > sinkhole sinkhole (sinkhole setting common to lists) > threat-exception threat-exception <Enter> Finish input
# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <tab> ... completion handler picks up the relevant domain lists ... <name>
# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <domain list name> <tab> action
# set shared/<vsys vsys1> profiles spyware AS1 botnet-names list <domain list name> action <tab> alert allow block sinkhole
External Dynamic Lists can be manually refreshed using the following command:
> request system external-list refresh type domain name custom-dns-block-list
EDL refresh job enqueued
The request will be queued as a job, and its status can be checked using the 'show jobs' command, or by viewing Tasks in the WebUI
Job type is EDLRefresh
Failures of download or EDL refresh will be recorded in system logs and ms.log
High Availability
The text file, which contains mapping of internal threat-ID to malicious domains, is recreated on HA peers on every commit.